Skillv1.4.0

ClawScan security

Cinematic Script Writer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 11, 2026, 9:41 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code, CLI, and install method are consistent with its stated purpose (cinematic script generation, cinematography references, character consistency, and optional Google Drive/local storage); nothing in the bundle indicates clear misdirection or hidden exfiltration, but a few implementation and supply-chain details deserve review before install.
Guidance: This skill appears to do what it claims (script generation, cinematography guides, prompt building) and installs via npm, but before installing: 1) Verify the npm package author and version on the npm registry (openclaw-skills) and inspect the package contents or source repo to ensure they match what you see here. 2) Open the storage-adapter.ts and storage-manager.ts files to confirm how Google OAuth tokens are handled (look for any code that writes tokens to a remote endpoint or to disk). 3) Confirm whether googleapis (or another Drive client) is listed as a dependency in the skill-specific package.json—if Drive integration is expected but the dependency is missing, that could be an oversight or indicate a mismatch. 4) Be aware the skill can write to your local Downloads folder when using local storage—if you need to limit filesystem access, run it in a sandbox/container. 5) If you plan to use the Google Drive integration, only proceed with the interactive OAuth flow and verify the consent screen and scope requested; do not paste service account keys or secrets into the CLI. 6) If you are unsure, test the package in an isolated environment (container or VM) first and inspect runtime network traffic and file writes.

Review Dimensions

Purpose & Capability: okName/description align with the actual files: the repo includes a CLI, cinematography databases, a consistency system, prompt builder, and storage adapters. Requiring node and distributing as an npm package (openclaw-skills) is proportionate to a TypeScript/Node CLI skill.
Instruction Scope: noteSKILL.md and the CLI only direct typical operations for script generation, cinematography lookups, prompt building, and storage. The storage features include Google Drive OAuth and a local 'Downloads' fallback — that implies filesystem writes and an OAuth browser flow. The instructions do not appear to ask for unrelated system secrets, but local storage will access the user's Downloads folder and the Drive connect action will cause HTTP traffic and an auth flow; review storage-adapter.ts/storage-manager.ts to confirm tokens are not silently persisted or exfiltrated.
Install Mechanism: okInstallation is via npm (package: openclaw-skills), which is a standard package registry install. No external arbitrary download URLs or extract-from-URL steps are used in the provided install spec. As with any npm package, verify the package authorship and checksum on the registry before global install.
Credentials: noteThe skill declares no required environment variables or primary credential, which is reasonable for an interactive Google OAuth flow. However SKILL.md mentions using the googleapis library and Google OAuth2; ensure the library/dependency is present (I noticed the top-level package.json lists only 'uuid' in dependencies — confirm the cinematography skill's package.json includes googleapis if Drive integration is implemented). The skill also writes to the local Downloads folder when using local storage, which involves filesystem access that should be expected and reviewed.
Persistence & Privilege: okalways:false (not force-included) and model invocation is allowed (default). The skill does not request 'always' or other elevated platform privileges in the metadata provided. Review the skill.json under skills/cinematic-script-writer/skill.json to confirm declared runtime permissions (memory/http/fs) before granting the agent broad abilities.