byted-las-pdf-parse-doubao
Pass
Audited by Gen Agent Trust Hub on Mar 26, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: No malicious patterns or security vulnerabilities were detected. The skill implementation aligns with its stated purpose of PDF parsing via the Volcano Engine (ByteDance) LAS-AI API.
- [EXTERNAL_DOWNLOADS]: The skill fetches PDF content from external URLs. It implements proactive security measures by validating hostnames and blocking access to private IP ranges to prevent Server-Side Request Forgery (SSRF) attacks.
- [COMMAND_EXECUTION]: The provided
scripts/skill.pyis a standard CLI utility for task submission and polling. It uses therequestslibrary for communication with vendor-owned API endpoints. - [CREDENTIALS_UNSAFE]: The skill manages authentication using the
LAS_API_KEYenvironment variable or anenv.shfile. This is standard practice for CLI tools and does not involve hardcoded secrets. - [DATA_EXFILTRATION]: Communication is restricted to authorized ByteDance infrastructure (
*.volces.com). No unauthorized data transmission or exfiltration patterns were identified.
Audit Metadata