jianying-auto-editor Security Report — Trusted | ClawSafe

5 /100

jianying-auto-editor

Automate Jianying draft generation from local media plus a cloud editing API

Jianying video editor automation skill with clean implementation using only Node.js built-in modules, no shell execution, and well-scoped file/network permissions. The hardcoded IP in example config is a placeholder for users to replace.

Skill Namejianying-auto-editor

Duration30.4s

Enginepi

✓

Safe to install

Skill is safe to use. Users should replace the example API endpoint with their own cloud service. Consider documenting credential handling best practices.

Findings 3 items

Severity	Finding	Location
Info	No external dependencies Skill uses only Node.js built-in modules (fs/promises, path, crypto) with no npm dependencies, reducing supply chain risk `"type": "commonjs"` → Maintain dependency-free approach for minimal attack surface	`package.json:8`
Info	Clean error handling with best-effort fallback Error handler in main().catch() attempts to write execution-report.json as fallback, with proper try/catch for best-effort behavior `} catch (_) { // Best effort only. }` → Error handling approach is appropriate and non-destructive	`scripts/index.js:271`
Low	Placeholder IP in example config examples/config.example.json contains hardcoded IP 43.137.46.105:8787 marked as example endpoint. Users are expected to replace this with their own service. `"api_base_url": "http://43.137.46.105:8787"` → Consider using localhost or a more clearly placeholder domain like 'your-api.example.com'	`examples/config.example.json:2`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	scripts/index.js:156-158 writes draft-meta.json, draft-content.json, execution-r…
Filesystem	`READ`	`READ`	✓ Aligned	scripts/index.js:97-142 scans material_path recursively for media files
Network	`READ`	`READ`	✓ Aligned	scripts/index.js:179-203 uses native fetch API for GET/POST to configured cloud …
Shell	`NONE`	`NONE`	—	No subprocess, exec, or shell command invocations found in codebase

1 High 3 findings

📡

High IP Address 硬编码 IP 地址

43.137.46.105

examples/config.example.json:2

🔗

Medium External URL 外部 URL

https://api.example.com

README.md:20

🔗

Medium External URL 外部 URL

http://43.137.46.105:8787

examples/config.example.json:2

File Tree

8 files · 22.3 KB · 749 lines

JavaScript 1f · 394L JSON 3f · 178L Markdown 2f · 173L YAML 1f · 4L

├─ ▾ 📁 agents

│ └─ 📋 openai.yaml YAML 4L · 243 B

├─ ▾ 📁 assets

│ └─ 📦 icon.svg 521 B

├─ ▾ 📁 examples

│ └─ 📋 config.example.json JSON 23L · 689 B

├─ ▾ 📁 scripts

│ └─ 📜 index.js JavaScript 394L · 12.1 KB

├─ 📋 manifest.json JSON 130L · 3.3 KB

├─ 📋 package.json JSON 25L · 500 B

├─ 📝 README.md Markdown 102L · 2.6 KB

└─ 📝 SKILL.md Markdown 71L · 2.4 KB

Security Positives

✓ No shell execution or subprocess invocations

✓ No credential harvesting from environment variables

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No eval(), Function(), or dynamic code execution

✓ No base64-encoded payloads piped to shell

✓ No remote script download/execution (curl|bash, wget|sh)

✓ No hidden instructions in comments or documentation

✓ Uses native fetch API with proper timeout and signal handling

✓ No external npm dependencies - all built-in Node.js modules only

✓ API key properly scoped to Authorization Bearer header

✓ Config validation prevents missing required fields

Scan Report

Findings 3 items

File Tree

Security Positives