ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Film Production Assistant

v1.0.1

Pre-production assistant for filmmakers. Generates script breakdowns, shot lists, call sheets, production schedules, and budget estimates from scene descript...

0· 26·0 current·0 all-time
by@davidapx13
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the included prompt templates, reference structures, and example outputs (script breakdown, shot list, call sheet, schedule, budget). There are no unrelated required environment variables, binaries, or config paths. One small metadata inconsistency: SKILL.md documents an optional pandoc dependency while the registry metadata lists no required binaries — this is explanatory (export feature) rather than a capability mismatch.
Instruction Scope
Runtime instructions stay within the pre-production domain: read bundled prompt templates, fill them with user input, call an LLM, and optionally export via pandoc only when the user explicitly requests. The only operational risk is the provided shell snippet for export (echo to /tmp and pandoc to a user-specified path): if user-supplied filenames/paths are inserted without sanitization the agent could overwrite files or allow path traversal. The skill does instruct to ask the user for a save location and to confirm the save, which mitigates but does not eliminate the risk. There are no instructions to read system files or external credentials.
Install Mechanism
This is instruction-only with no install spec or code to download/execute. The only external tool referenced is pandoc for optional .docx export (the SKILL.md suggests 'brew install pandoc' on Mac). That is a standard, low-risk external tool and its use is limited and opt-in.
Credentials
The skill requests no environment variables, no credentials, and no config paths. All data used is provided by the user (scene/project text). Nothing disproportionate is being requested.
Persistence & Privilege
Flags show always: false and user-invocable true. The skill does not request permanent presence, modify other skills, or access system‑wide settings. Autonomous invocation (disable-model-invocation:false) is the platform default and not in itself a concern here.
Assessment
This skill appears coherent and focused on film pre-production. Before using it: (1) Confirm you only export files when you explicitly ask — the skill's export uses a shell snippet that writes to /tmp and then to a user-specified path; avoid supplying sensitive or system paths and the agent should prompt you for and validate the destination. (2) If you will use the .docx export, install pandoc from a trusted source and verify the agent asks for the save location and confirms the final path. (3) Treat any scene text you paste as potentially sensitive (it may include personal data or contact info for call sheets); review outputs before distributing. (4) If you want stronger safety, test the export flow with a dummy project and a harmless destination first. Overall the package is internally consistent with its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

call-sheetvk973gzxk9cp9hqefyjn7t885898448n2filmvk973gzxk9cp9hqefyjn7t885898448n2filmmakingvk973gzxk9cp9hqefyjn7t885898448n2latestvk973gzxk9cp9hqefyjn7t885898448n2productionvk973gzxk9cp9hqefyjn7t885898448n2screenplayvk973gzxk9cp9hqefyjn7t885898448n2shot-listvk973gzxk9cp9hqefyjn7t885898448n2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments