ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

🎬 观影小管家

v1.0.0

整合TMDB与Emby/Plex,提供电影查询、媒体库管理、观影记录和个性化推荐服务。

1· 399·1 current·2 all-time
by@duzhilei951

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for duzhilei951/movie-butler.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "🎬 观影小管家" (duzhilei951/movie-butler) from ClawHub.
Skill page: https://clawhub.ai/duzhilei951/movie-butler
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install duzhilei951/movie-butler

ClawHub CLI

Package manager switcher

npx clawhub@latest install movie-butler
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Registry metadata claims no required environment variables, but package.json, SKILL.md and index.js clearly expect TMDB, Emby (URL/API key/user id) and optional Plex credentials. The code also embeds default API keys and local Emby URLs. This is an internal inconsistency: either the registry metadata is wrong or the skill is asking for secrets it didn't declare.
!
Instruction Scope
SKILL.md instructs storing credentials in a specific absolute path (C:\Users\yz207\.openclaw\.env) and index.js/feishu-card.js use dotenv to load ../../../.env. The runtime instructions and code read/write the local movie-memory.md file and call TMDB/OMDb/Emby/Plex APIs (expected), but loading an outer .env path can cause the skill to read unrelated environment values. SKILL.md also contains a detected unicode-control-chars prompt-injection pattern.
Install Mechanism
No install spec (instruction-only) and no external downloads — that's lower risk. However the package includes executable JS files (index.js, feishu-card.js) that will be present on disk and executed; there is no build/install step declared, so execution will rely on these included files.
!
Credentials
The code legitimately needs TMDB and Emby/Plex credentials for its features, but: (1) the registry metadata advertised 'none' for required env vars while package.json lists required env; (2) multiple API keys (TMDB, several OMDb keys) are hard-coded as defaults in index.js and SKILL.md, which is poor practice and may indicate leaked or reused keys; (3) the practice of pointing to a user-specific absolute .env path and loading ../../../.env is disproportionate because it may expose other environment secrets on the host.
!
Persistence & Privilege
The skill is not marked always:true and does not claim elevated platform privileges, which is good. However the code intentionally loads an .env file from a relative path that climbs directories (../../../.env) and writes/updates movie-memory.md. Loading an outer .env can access secrets belonging to the host or other skills; combined with autonomous invocation this increases blast radius.
Scan Findings in Context
[unicode-control-chars] unexpected: A prompt-injection pattern was detected in SKILL.md (unicode control characters). This is not expected for a movie-recommendation README and may indicate an attempt to manipulate prompt processing or the evaluator. Treat with caution.
What to consider before installing
What you should consider before installing: - Inconsistency: The registry advertises no required env vars but the package and README expect TMDB, Emby (URL/API key/user id) and optionally Plex. Confirm with the author which credentials are actually needed. - Hard-coded keys: index.js and SKILL.md include default API keys (TMDB and several OMDb keys). These may be placeholders or leaked keys — they are poor practice and could be abused. Do not rely on embedded keys; prefer to put your own API keys in a controlled location. - .env path risk: The code uses dotenv with path.join(__dirname, '../../../.env') and SKILL.md instructs putting credentials in a user-specific .env path. That can cause the skill to load environment variables outside the skill folder (potentially other secrets). Before running, edit the code to point to a safe, explicit config path you control, or run the skill in a sandboxed environment. - Prompt-injection marker: A unicode-control-chars pattern was found in SKILL.md. Treat documentation and prompts carefully; validate that runtime prompts and instructions haven't been tampered with. - Practical mitigations: (1) Review and remove any hard-coded keys; replace with explicit required env variables and clear docs. (2) Modify dotenv path to an approved, explicit file (not '../../../.env'). (3) Run the code in an isolated VM/container and monitor network calls to confirm only TMDB/Emby/Plex endpoints are contacted. (4) If you don't trust the source, don't provide any real API keys or sensitive service tokens until code is audited or the author provides a signed/official release. If you want, I can: point to the exact lines with hard-coded keys and dotenv usage, suggest a safe code change to use process.env only (no default keys), or produce a checklist to audit network behavior before trusting this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk978b7v3rfdz0bckj6zhp8ax91826rcc
399downloads
1stars
1versions
Updated 2h ago
v1.0.0
MIT-0
@duzhilei951
latest
Download

🎬 Movie Butler - 观影小管家

杜老师的专属观影助手,整合 TMDB + Emby/Plex,提供电影查询、媒体库管理、个性化推荐等服务。

📋 功能列表

1. 🌐 电影查询(全网 + 服务器)

  • TMDB 全网查询 - 简介、评分、演员、导演、类型、海报
  • Emby 服务器查询 - 检查是否有该片、画质信息
  • 智能下载建议 - 服务器没有时,提供下载提示
  • 一键对比 - 同时显示全网信息和服务器状态

2. 📺 Emby 媒体库管理

  • 查询服务器上的电影/剧集
  • 获取媒体库统计
  • 搜索特定影片
  • 查看最近添加/最近播放

3. Plex 媒体库管理

  • 查询 Plex 服务器内容
  • 获取播放列表
  • 媒体库统计

4. 观影记录与偏好

  • 记录看过的电影和感受
  • 记录评分
  • 分析观影偏好
  • 个性化推荐

5. 🎯 每周一部电影

  • 自动生成每周推荐
  • 智能分析您的喜好
  • 结合 Emby 服务器内容
  • 给出详细推荐理由
  • 记录每周观影计划

6. 背景感知推荐

  • 根据心情推荐(累→轻松,开心→刺激)
  • 根据工作状态推荐(忙→犒劳,闲→深度)
  • 根据最近关注推荐
  • 周末/工作日不同策略

🔧 使用方法

查询电影信息

查询《肖申克的救赎》
《星际穿越》的详细信息

查询服务器内容

Emby 上有哪些科幻电影?
我的服务器有多少部电影?
Emby 有诺兰的电影吗?
最近添加了什么电影?

搜索特定影片

服务器上有《盗梦空间》吗?
Emby 搜索《阿凡达》

记录观影感受

刚看了《星际穿越》,很震撼,诺兰的叙事手法太厉害了,评分 9/10

🎯 每周一部电影

本周推荐什么电影?
这周有什么好电影推荐
周末了,推荐部电影
最近工作很累,推荐部轻松的

背景记录(让推荐更精准)

今天心情很好
最近工作很忙
最近对科幻题材感兴趣

个性化推荐

推荐几部科幻电影
推荐类似《星际穿越》的电影
Emby 上有什么高分电影推荐?
我还没看过的科幻片有哪些?

查看观影历史

我看过哪些电影?
我的观影记录

📁 文件结构

  • SKILL.md - 本说明文档
  • index.js - 主程序
  • movie-memory.md - 观影记录和偏好(自动创建)

🔑 API 配置

C:\Users\yz207\.openclaw\.env 中配置:

# TMDB
TMDB_API_KEY=bd1ba3aa647fbaa7b35e93db5164a53f
TMDB_BEARER_TOKEN=xxx

# Emby
EMBY_URL=http://192.168.0.151:8096
EMBY_USERNAME=喜悦影音
EMBY_PASSWORD=
EMBY_API_KEY=xxx (需要生成)

# Plex (可选)
PLEX_URL=http://xxx:32400
PLEX_TOKEN=xxx

📝 观影记忆格式

## 2026-03-03

### 《肖申克的救赎》
- **评分**: 10/10
- **感受**: 经典中的经典,希望与绝望的对比太震撼了
- **类型偏好**: +剧情,+励志

### 累计偏好
- 最爱类型:科幻、剧情、悬疑
- 最爱导演:诺兰、斯皮尔伯格
- 平均评分:8.5/10
- 已观影:15 部

Comments

Loading comments...