Film Production Assistant
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly a coherent film-planning prompt library, but its optional Word export recipe uses a shell command with generated/user-provided text and paths in a way that could run unintended local commands.
This skill appears useful and mostly self-contained, but treat the Word export feature carefully. Prefer text output unless the export command is implemented safely, and avoid pasting private addresses, phone numbers, or production details into online LLMs unless you are comfortable sharing them there.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user exports a document containing maliciously crafted text or path characters, the agent could run unintended local shell commands or write files somewhere unexpected.
The export recipe places generated output and a user-specified path directly inside a shell command. If that text contains shell substitutions or quoting edge cases, the shell could execute unintended commands. The instruction is user-gated, which limits risk, but the command construction itself is unsafe.
echo "{{output}}" > /tmp/film-output.md
pandoc /tmp/film-output.md -o "{{user-specified-path}}/{{ProjectTitle}}-{{DocumentType}}.docx"Use a safe file-write API or pass pandoc arguments without a shell; create a secure temporary file; validate the output path; and confirm before overwriting existing files.
Users who want Word export must trust their local pandoc installation; otherwise the skill can still operate as text-only prompts.
The skill has no install spec, but optional document export depends on an external binary installed through the host package manager. This is purpose-aligned and disclosed, but users should know it relies on local tooling outside the skill package.
Requires: `pandoc` must be installed on the host (`brew install pandoc` on Mac). If not available, deliver the output as text only.
Install pandoc only from a trusted package source, or use the text-only output mode if document export is not needed.