中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:2 days ago Rescan
20 /100
davinci-auto-editor
Cloud-driven DaVinci Resolve automation skill that scans local media, requests a cloud editing plan, and generates a Resolve-importable EDL package with pure Node.
DaVinci Resolve automation skill with legitimate cloud API integration, no shell execution, and no credential harvesting. A hardcoded external IP in example config is the primary concern.
Skill Namedavinci-auto-editor
Duration30.6s
Enginepi
Safe to install
Accept for use but replace the hardcoded IP in config with a proper domain name or environment variable. Consider pinning the external API endpoint in production deployments.

Findings 3 items

Severity Finding Location
Medium
Hardcoded external IP address in example configuration
The examples/config.example.json contains a hardcoded IP address '43.137.46.105:8787' which is an external network endpoint. While this is in an example file (not production code), it represents a potential risk if users copy this config without changing the endpoint.
"api_base_url": "http://43.137.46.105:8787"
→ Replace hardcoded IP with a placeholder domain name or hostname variable (e.g., 'https://api.your-service.com'). Add documentation warning users to configure their own endpoint.
 examples/config.example.json:2
Low
API key transmitted in Authorization header
The skill transmits the api_key in the Authorization Bearer header to the configured cloud endpoint. This is standard practice but means the key is visible in network traffic if HTTPS is not enforced.
'authorization': `Bearer ${this.apiKey}`
→ Ensure the configured api_base_url uses HTTPS to protect the API key in transit.
 scripts/index.js:175
Low
Material paths sent to external cloud API
The skill sends absolute file paths of media files to the cloud API for planning purposes. While declared in SKILL.md, users should be aware that local file structure information is exfiltrated.
absolutePath: fullPath
→ Document this behavior clearly and consider offering an option to send only relative paths or file hashes.
 scripts/index.js:41
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE WRITE ✓ Aligned scripts/index.js:36 - Recursive media scan; writes EDL, JSON, and report files t…
Network READ READ ✓ Aligned scripts/index.js:156-183 - ApiClient class uses fetch() to GET/POST cloud API en…
Shell NONE NONE No child_process, exec, spawn, or shell invocation found in codebase
Environment NONE NONE No os.environ iteration or credential extraction from environment variables
1 High 2 findings
📡
High IP Address 硬编码 IP 地址
43.137.46.105
examples/config.example.json:2
🔗
Medium External URL 外部 URL
http://43.137.46.105:8787
examples/config.example.json:2

File Tree

8 files · 25.3 KB · 821 lines
JavaScript 1f · 470L Markdown 2f · 181L JSON 3f · 166L YAML 1f · 4L
├─ 📁 agents
│ └─ 📋 openai.yaml YAML 4L · 265 B
├─ 📁 assets
│ └─ 📦 icon.svg 578 B
├─ 📁 examples
│ └─ 📋 config.example.json JSON 23L · 676 B
├─ 📁 scripts
│ └─ 📜 index.js JavaScript 470L · 15.2 KB
├─ 📋 manifest.json JSON 118L · 2.6 KB
├─ 📋 package.json JSON 25L · 530 B
├─ 📝 README.md Markdown 108L · 3.0 KB
└─ 📝 SKILL.md Markdown 73L · 2.5 KB

Security Positives

✓ No shell execution capability - no child_process, exec, spawn, or shell invocation found
✓ No credential harvesting from environment variables or sensitive paths (~/.ssh, ~/.aws, .env)
✓ No base64-encoded payloads or eval() with decoded content
✓ No reverse shell, C2 communication, or data exfiltration beyond declared cloud API calls
✓ No hidden instructions in HTML comments or disguised payloads
✓ Code is straightforward and performs exactly what SKILL.md describes
✓ Error handling includes best-effort fallback reporting without exposing sensitive data
✓ API key is only used for declared cloud API authentication, not exfiltrated elsewhere