CinePrompt
Security checks across malware telemetry and agentic risk
Overview
CinePrompt mostly matches its stated prompt-sharing purpose, but its helper code can use an undeclared high-privilege service key to write directly to its backend.
Review before installing. Use the normal CinePrompt API key only, do not provide CINEPROMPT_SERVICE_KEY or other service-role credentials to the agent, avoid putting sensitive information in share-link prompts, and verify the npm package before any global install.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If this environment variable is present, the skill may use high-privilege backend credentials instead of a normal user API key.
The helper can read a service key from the environment and use it as a bearer credential for direct Supabase insertion, which is more privileged than the normal public API-key workflow.
const serviceKey = process.env.CINEPROMPT_SERVICE_KEY; ... result = await createDirect(serviceKey, promptText, stateJson, mode); ... 'Authorization': `Bearer ${serviceKey}`Use only the normal --api-key or CINEPROMPT_API_KEY path for public use, do not expose service-role keys to the agent, and remove or clearly gate the direct-insert path.
Prompt content leaves the local environment and may be stored remotely for the generated share link.
The helper sends the user's prompt text, state JSON, and API key to the CinePrompt/Supabase endpoint to create a share link.
body: JSON.stringify({ api_key: apiKey, prompt_text: promptText, state_json: stateJson, share_mode: mode })Do not include private or sensitive information in prompts unless you are comfortable sending it to CinePrompt for link creation.
A global npm install runs and exposes code from the npm package on the user's machine.
The skill documents installing a global npm CLI without a pinned version or registry install spec in the supplied artifacts.
npm install -g cineprompt
Verify the package publisher and version before installing globally, or install in a controlled environment.
The bundle contains an unrelated social-posting placeholder; no operational X posting behavior is shown in the artifact.
An included script references posting to X, which is outside the stated prompt/share-link purpose, although the provided script only echoes messages and contains no actual posting logic.
This script will post today's CinePrompt guide to X.
Do not run unrelated helper scripts unless they are documented and needed; the publisher should remove or clearly explain this file.