Live Stream Script
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill mainly generates live-stream scripts and shows no credential, network, or destructive behavior, but users should notice its aggressive sales-pressure templates and a helper script that logs command topics locally.
This appears safe to install from an agent-security perspective: it does not show network calls, credential use, destructive actions, or broad file access. Review its sales templates for truthfulness before using them publicly, and be aware that one included helper script stores command history locally.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the scripts verbatim could create deceptive or high-pressure sales messaging if stock, pricing, giveaways, or popularity claims are not accurate.
The generated closing script uses urgency, scarcity, and social-proof claims. This is purpose-aligned for a sales-script generator, but those claims could mislead viewers if the streamer does not verify they are true.
注意!这个价格只有今天有! 而且库存只备了XXX件! 已经卖了XX件了,就剩XX件!
Before using generated sales language, replace placeholders with truthful facts and avoid false scarcity, fake social proof, or unverified lowest-price claims.
Product names, campaign topics, or other business details entered into that helper may remain on disk in the user's home data directory.
This helper stores command names and user-provided arguments in a local history log. The behavior is local and limited, but SKILL.md does not mention this persistence.
DATA_DIR="${LIVE_STREAM_SCRIPT_DIR:-${XDG_DATA_HOME:-$HOME/.local/share}/live-stream-script}"
_log() { echo "$(date '+%m-%d %H:%M') $1: $2" >> "$DATA_DIR/history.log"; }Avoid entering confidential campaign details unless local logging is acceptable, or clear the history log after use.
The skill may require a wrapper or alias not shown in the artifacts, which can make installation and invocation less transparent.
The documented command name is live.sh, while the provided manifest contains scripts/live_gen.py, scripts/livestream.sh, and scripts/script.sh rather than a file named live.sh. This is an entrypoint/packaging clarity issue rather than evidence of malicious behavior.
live.sh warmup "产品"
Confirm the installed command mapping before relying on the skill, and prefer packages that clearly declare their executable entrypoint and runtime dependency.