Skillv1.0.0

ClawScan security

🎬 观影小管家 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 3, 2026, 5:16 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's description matches its purpose, but the package contains hard-coded API keys, inconsistent metadata about required credentials, and code that loads an outer .env path (potentially reading unrelated secrets) — these mismatches and a detected prompt-injection marker make the package suspicious.
Guidance: What you should consider before installing: - Inconsistency: The registry advertises no required env vars but the package and README expect TMDB, Emby (URL/API key/user id) and optionally Plex. Confirm with the author which credentials are actually needed. - Hard-coded keys: index.js and SKILL.md include default API keys (TMDB and several OMDb keys). These may be placeholders or leaked keys — they are poor practice and could be abused. Do not rely on embedded keys; prefer to put your own API keys in a controlled location. - .env path risk: The code uses dotenv with path.join(__dirname, '../../../.env') and SKILL.md instructs putting credentials in a user-specific .env path. That can cause the skill to load environment variables outside the skill folder (potentially other secrets). Before running, edit the code to point to a safe, explicit config path you control, or run the skill in a sandboxed environment. - Prompt-injection marker: A unicode-control-chars pattern was found in SKILL.md. Treat documentation and prompts carefully; validate that runtime prompts and instructions haven't been tampered with. - Practical mitigations: (1) Review and remove any hard-coded keys; replace with explicit required env variables and clear docs. (2) Modify dotenv path to an approved, explicit file (not '../../../.env'). (3) Run the code in an isolated VM/container and monitor network calls to confirm only TMDB/Emby/Plex endpoints are contacted. (4) If you don't trust the source, don't provide any real API keys or sensitive service tokens until code is audited or the author provides a signed/official release. If you want, I can: point to the exact lines with hard-coded keys and dotenv usage, suggest a safe code change to use process.env only (no default keys), or produce a checklist to audit network behavior before trusting this skill.
Findings: [unicode-control-chars] unexpected: A prompt-injection pattern was detected in SKILL.md (unicode control characters). This is not expected for a movie-recommendation README and may indicate an attempt to manipulate prompt processing or the evaluator. Treat with caution.

Review Dimensions

Purpose & Capability: concernRegistry metadata claims no required environment variables, but package.json, SKILL.md and index.js clearly expect TMDB, Emby (URL/API key/user id) and optional Plex credentials. The code also embeds default API keys and local Emby URLs. This is an internal inconsistency: either the registry metadata is wrong or the skill is asking for secrets it didn't declare.
Instruction Scope: concernSKILL.md instructs storing credentials in a specific absolute path (C:\Users\yz207\.openclaw\.env) and index.js/feishu-card.js use dotenv to load ../../../.env. The runtime instructions and code read/write the local movie-memory.md file and call TMDB/OMDb/Emby/Plex APIs (expected), but loading an outer .env path can cause the skill to read unrelated environment values. SKILL.md also contains a detected unicode-control-chars prompt-injection pattern.
Install Mechanism: noteNo install spec (instruction-only) and no external downloads — that's lower risk. However the package includes executable JS files (index.js, feishu-card.js) that will be present on disk and executed; there is no build/install step declared, so execution will rely on these included files.
Credentials: concernThe code legitimately needs TMDB and Emby/Plex credentials for its features, but: (1) the registry metadata advertised 'none' for required env vars while package.json lists required env; (2) multiple API keys (TMDB, several OMDb keys) are hard-coded as defaults in index.js and SKILL.md, which is poor practice and may indicate leaked or reused keys; (3) the practice of pointing to a user-specific absolute .env path and loading ../../../.env is disproportionate because it may expose other environment secrets on the host.
Persistence & Privilege: concernThe skill is not marked always:true and does not claim elevated platform privileges, which is good. However the code intentionally loads an .env file from a relative path that climbs directories (../../../.env) and writes/updates movie-memory.md. Loading an outer .env can access secrets belonging to the host or other skills; combined with autonomous invocation this increases blast radius.