Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
DaVinci Auto Editor
v0.2.1Generate DaVinci Resolve import packages from local media plus a cloud editing API. Use when Codex needs to scan a material folder, request a cloud editing p...
⭐ 0· 118·0 current·0 all-time
by@afengzi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, manifest, SKILL.md, README, and scripts/index.js are consistent: the skill scans a material folder, builds a materials index, calls a cloud API for a plan, and writes Resolve-importable files locally. Requiring only Node is proportionate to the described functionality.
Instruction Scope
Runtime instructions and the implementation explicitly instruct scanning the entire material directory and POSTing a materials index to the cloud. The materials payload includes absolutePath, relativePath, name, size, modifiedAt and a SHA1-based id (path hashed). Sending absolute paths and file metadata to a remote API is outside pure local editing work and is a privacy/exfiltration risk unless you trust the target API.
Install Mechanism
No install spec is provided (instruction-only plus included Node script). That minimizes installer risk. The project ships a local Node script (scripts/index.js) which will run on the user's machine — review that script (included) before running, but there is no remote installer download of code at runtime.
Credentials
The registry metadata lists no required env vars, but the config schema and examples require api_base_url and api_key (supplied in a config file). Requiring an API key is expected for a cloud-driven skill, but the example config uses a raw IP address (http://43.137.46.105:8787) which is unusual and potentially suspicious. Also, secrets are expected to be placed in a JSON config file (not an env var), which could leave credentials on disk if not managed carefully.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and only writes outputs under a project-adjacent _davinci_auto_editor/<taskId> directory. It does create files (resolve-import.json, timeline.edl, execution-report.json) in the filesystem as part of normal operation, which is expected for its purpose.
What to consider before installing
Before installing or running this skill: 1) Verify and trust the api_base_url you will use — do not point the skill to unknown or untrusted endpoints (the example uses a raw IP which is unusual). 2) Understand what is uploaded: the tool sends a materials index containing absolute file paths, filenames, sizes, timestamps and hashed path IDs to the configured cloud API — do not run it against sensitive directories. 3) Store your api_key securely (avoid committing the config file to source control and consider using a secrets manager or environment variable instead). 4) If you want to evaluate behavior safely, run it first on a non-sensitive sample folder and inspect all HTTP requests (e.g., with a local proxy) and the remote service’s privacy/retention policy. 5) If you cannot vet or trust the remote API endpoint, do not provide real credentials or sensitive media; consider adapting the script to target a local test service or to skip uploading paths you do not want shared.scripts/index.js:14
Environment variable access combined with network send.
examples/config.example.json:2
Install source points to URL shortener or raw IP.
scripts/index.js:114
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk973v7tfdmvd6q8jkeybmbmx6983527n
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎞️ Clawdis
OSmacOS · Linux · Windows
Binsnode