Films Search
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted or accidental @/path argument could cause private local file contents to be used as a search query and potentially sent to external search providers or cached locally.
Any CLI argument beginning with @ is treated as a local file path and replaced with that file's contents, with no path restriction or approval; those arguments are then passed into the film-search workflow.
if [[ "${args[$i]}" == @* ]]; then
filepath="${args[$i]:1}"
if [ -f "$filepath" ]; then
args[$i]="$(cat "$filepath")"
fi
fiRemove top-level @file expansion, or restrict it to skill-created temporary files and require explicit user approval before reading any local file.
Your IP address and search activity may be exposed to search engines and resource pages, and returned links may point to untrusted external downloads.
The deep extraction engine fetches URLs from search results to scrape cloud-drive links. This is purpose-aligned, but it means the skill contacts arbitrary third-party resource pages.
r = scraper.get(url, timeout=8)
Use the shallow web engine or lower page/concurrency limits if you do not want broad third-party page fetching.
First use may download and execute Python package code outside the registry install flow, which carries normal package supply-chain risk.
The skill discloses a first-run dependency install into a virtual environment, while the registry metadata lists no install spec or required binaries.
Python 3(必需,用于 cloudscraper 深度页面抓取。依赖首次运行时自动安装到 `.venv`)
Pin and preinstall dependencies in a reviewed environment, and ensure users see an explicit install prompt before first-run package installation.
Windows users may find the documented command fails or may be tempted to obtain an unreviewed replacement script.
The instructions reference a PowerShell script, but the supplied file manifest does not include scripts/film-search.ps1.
powershell -File "$SKILLS_ROOT/films-search/scripts/film-search.ps1" search "流浪地球2" --pan quark
Use only included scripts, or have the publisher include the referenced PowerShell file or remove that instruction.
Recent search queries and results may remain on disk temporarily and could be reused or seen by other local processes depending on system permissions.
The Node script stores cached search data under the system temporary directory, with caching enabled by default in the visible configuration.
const CACHE_DIR = path.join(os.tmpdir(), "lobsterai-film-cache");
Disable caching with FILM_SEARCH_CACHE_ENABLED=false or clear the temporary cache if search terms are sensitive.