Back to plugin

Security audit

Mediaclaw Plugin

Security checks across malware telemetry and agentic risk

Overview

MediaClaw's code and runtime instructions match a media-generation plugin: it calls provider APIs, runs local media tools (ffmpeg/python) and reads/writes workspace media and avatar files — nothing in the bundle looks malicious, but there are a couple of practical/informational mismatches you should note before installing.

What to consider before installing: - Functional scope: This plugin legitimately needs network access to configured providers and needs local media tooling. Expect it to call configured yuanjing/sglang endpoints and to run ffmpeg/ffprobe and a bundled Python script (merge_ass.py) to compose subtitles and videos. If you don't want code to run ffmpeg or Python on your host, do not install. - Tooling mismatch: The registry metadata lists no required binaries, but SKILL.md clearly requires FFmpeg/ffprobe and Python for some workflows — ensure FFmpeg (and Python3 for the merge script) are installed from trusted sources before use. - Workspace file access: The skill will scan the workspace root for AVATAR-*-*.md files and may read and update avatar files; review any such files for sensitive content before installing or run the plugin in an isolated workspace. - Credentials: Provider API keys are supplied via plugin configuration (not env vars). Only configure trusted provider endpoints/keys; defaults like http://localhost:30010 or 'sk-dummy' are placeholders. - Network & privacy: The plugin will send media and prompts to the configured provider endpoints; review provider privacy/policy if you will process sensitive content. - Code review: Source files (TypeScript + Python script) are included in the package — if you need higher assurance, inspect src/api/yuanjing-client.ts and src/api/sglang-client.ts (not fully shown here) for exact network calls and any telemetry. Overall: the skill is internally consistent with its stated purpose and appears benign, but double-check the FFmpeg/Python dependency, workspace file access, and provider configuration before use.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.