Cinematic Script Writer
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The script-writing purpose is coherent, but the Google Drive storage code appears to contain hardcoded OAuth/token material and the credential requirements are not clearly declared.
Review carefully before installing or connecting Google Drive. The creative writing features appear purpose-aligned, but the storage integration should be fixed to remove hardcoded secrets, clearly declare OAuth scopes and credential handling, and align the npm install path with reviewed registry metadata.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or running the skill could involve unclear Google account/API authority, and any embedded token may expose or misuse account access if it is live.
The static scan reports this as a hardcoded API secret or token in the Google Drive storage adapter. Access tokens are sensitive account-authority material and should not be embedded in a public skill package.
this.accessToken = [REDACTED];
Remove hardcoded tokens, rotate any exposed credentials, require user-controlled OAuth, declare the exact Google Drive scopes, and document token storage and revocation.
The user may not get a clear permission boundary for which Google credentials are used or how much Drive access the skill receives.
The static scan reports a hardcoded secret-like value in the OAuth credential handling path. This is sensitive because the skill advertises Google Drive saving but the registry metadata declares no primary credential.
return { clientId: creds.client_id, clientSecret: [REDACTED] };Do not ship client secrets or tokens in source; use a documented OAuth app flow, least-privilege scopes, and explicit credential declarations in metadata.
Users may trust the Google Drive integration more than the artifacts justify and may connect an account without understanding the credential handling risk.
This security assurance is not well supported by the supplied evidence because static scan results report hardcoded token/secret-like values in the storage implementation.
Credentials are stored securely in memory.
Replace broad security claims with precise documentation of where tokens are stored, how they are protected, what scopes are requested, and how users can disconnect or revoke access.
A user may install code from npm that is not clearly tied to a reviewed source repository or registry install contract.
The documented setup installs a global npm package, while the registry summary says there is no install spec and the source/homepage are unknown. Global package installation is common for CLI skills, but users should verify provenance.
npm install -g cinematic-script-writer
Verify the npm package publisher and version, prefer a pinned reviewed release, and align the registry install metadata with the documented install path.
Story details, character profiles, scripts, and related metadata may be retained and reused by the agent environment.
The skill is designed to store and retrieve user story contexts, scripts, and generated content. This is purpose-aligned, but it means creative project data can persist beyond a single interaction.
memory:read (Store/retrieve contexts, scripts)
- memory:write (Save generated content)Avoid storing sensitive private material unless needed, and provide clear controls for listing, exporting, and deleting stored contexts and scripts.