jianying-auto-editor 安全扫描报告 — 可信 | ClawSafe

5 /100

jianying-auto-editor

Automate Jianying draft generation from local media plus a cloud editing API

Jianying video editor automation skill with clean implementation using only Node.js built-in modules, no shell execution, and well-scoped file/network permissions. The hardcoded IP in example config is a placeholder for users to replace.

技能名称jianying-auto-editor

分析耗时30.4s

引擎pi

✓

可以安装

Skill is safe to use. Users should replace the example API endpoint with their own cloud service. Consider documenting credential handling best practices.

安全发现 3 项

严重性	安全发现	位置
提示	No external dependencies Skill uses only Node.js built-in modules (fs/promises, path, crypto) with no npm dependencies, reducing supply chain risk `"type": "commonjs"` → Maintain dependency-free approach for minimal attack surface	`package.json:8`
提示	Clean error handling with best-effort fallback Error handler in main().catch() attempts to write execution-report.json as fallback, with proper try/catch for best-effort behavior `} catch (_) { // Best effort only. }` → Error handling approach is appropriate and non-destructive	`scripts/index.js:271`
低危	Placeholder IP in example config examples/config.example.json contains hardcoded IP 43.137.46.105:8787 marked as example endpoint. Users are expected to replace this with their own service. `"api_base_url": "http://43.137.46.105:8787"` → Consider using localhost or a more clearly placeholder domain like 'your-api.example.com'	`examples/config.example.json:2`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	scripts/index.js:156-158 writes draft-meta.json, draft-content.json, execution-r…
文件系统	`READ`	`READ`	✓ 一致	scripts/index.js:97-142 scans material_path recursively for media files
网络访问	`READ`	`READ`	✓ 一致	scripts/index.js:179-203 uses native fetch API for GET/POST to configured cloud …
命令执行	`NONE`	`NONE`	—	No subprocess, exec, or shell command invocations found in codebase

1 高危 3 项发现

📡

高危 IP 地址硬编码 IP 地址

43.137.46.105

examples/config.example.json:2

🔗

中危外部 URL 外部 URL

https://api.example.com

README.md:20

🔗

中危外部 URL 外部 URL

http://43.137.46.105:8787

examples/config.example.json:2

目录结构

8 文件 · 22.3 KB · 749 行

JavaScript 1f · 394L JSON 3f · 178L Markdown 2f · 173L YAML 1f · 4L

├─ ▾ 📁 agents

│ └─ 📋 openai.yaml YAML 4L · 243 B

├─ ▾ 📁 assets

│ └─ 📦 icon.svg 521 B

├─ ▾ 📁 examples

│ └─ 📋 config.example.json JSON 23L · 689 B

├─ ▾ 📁 scripts

│ └─ 📜 index.js JavaScript 394L · 12.1 KB

├─ 📋 manifest.json JSON 130L · 3.3 KB

├─ 📋 package.json JSON 25L · 500 B

├─ 📝 README.md Markdown 102L · 2.6 KB

└─ 📝 SKILL.md Markdown 71L · 2.4 KB

安全亮点

✓ No shell execution or subprocess invocations

✓ No credential harvesting from environment variables

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No eval(), Function(), or dynamic code execution

✓ No base64-encoded payloads piped to shell

✓ No remote script download/execution (curl|bash, wget|sh)

✓ No hidden instructions in comments or documentation

✓ Uses native fetch API with proper timeout and signal handling

✓ No external npm dependencies - all built-in Node.js modules only

✓ API key properly scoped to Authorization Bearer header

✓ Config validation prevents missing required fields