fcpx-assistant Security Report — Trusted | ClawSafe

5 /100

fcpx-assistant

Final Cut Pro X assistant - auto video production, TTS voiceover, media management, batch export

Legitimate video production assistant with expected shell execution and API calls for video generation features. No malicious patterns detected.

Skill Namefcpx-assistant

Duration40.9s

Enginepi

✓

Safe to install

This skill is safe to use. Monitor API key usage and ensure proper environment variable configuration.

Findings 2 items

Severity	Finding	Location
Low	Documentation contains placeholder API keys MATERIAL_SOURCE_GUIDE.md lines 63, 66 and QUICKSTART.md line 176 show API_KEY='your_pexels_key_here' style placeholders in example code blocks `API_KEY="your_pexels_key_here"` → These are documented examples showing expected format. Not actual credentials. Consider adding comments clarifying they are placeholders.	`MATERIAL_SOURCE_GUIDE.md:63`
Low	Unpinned Python dependencies webui/requirements.txt uses >= for version constraints without upper bounds `gradio>=4.0.0` → Add upper bounds or specific versions for reproducible builds	`webui/requirements.txt:1`

Resource	Declared	Inferred	Status	Evidence
Shell	`WRITE`	`WRITE`	✓ Aligned	All scripts use bash for ffmpeg, curl, jq operations
Filesystem	`WRITE`	`WRITE`	✓ Aligned	Creates project directories, writes output videos/scripts
Network	`READ`	`READ`	✓ Aligned	API calls to Pexels, Pixabay, DashScope documented in SKILL.md
Environment	`READ`	`READ`	✓ Aligned	Reads PEXELS_API_KEY, PIXABAY_API_KEY, DASHSCOPE_API_KEY from env

3 High 36 findings

🔑

High API Key 疑似硬编码凭证

API_KEY="your_pexels_key_here"

MATERIAL_SOURCE_GUIDE.md:63

🔑

High API Key 疑似硬编码凭证

API_KEY="your_pixabay_key_here"

MATERIAL_SOURCE_GUIDE.md:66

🔑

High API Key 疑似硬编码凭证

API_KEY="your-api-key-here"

QUICKSTART.md:176

🔗

Medium External URL 外部 URL

https://www.bilibili.com

AUTO_PUBLISH_README.md:50

🔗

Medium External URL 外部 URL

https://console.cloud.google.com

AUTO_PUBLISH_README.md:72

🔗

Medium External URL 外部 URL

https://creator.douyin.com

AUTO_PUBLISH_README.md:88

🔗

Medium External URL 外部 URL

http://127.0.0.1:7860/gradio_api/info

GUIDE.md:200

🔗

Medium External URL 外部 URL

https://www.pexels.com/api/

MATERIAL_SOURCE_GUIDE.md:20

🔗

Medium External URL 外部 URL

https://pixabay.com/api/docs/

MATERIAL_SOURCE_GUIDE.md:38

🔗

Medium External URL 外部 URL

https://pixabay.com/api/docs/#api_search_videos

MATERIAL_SOURCE_GUIDE.md:42

🔗

Medium External URL 外部 URL

https://ffmpeg.org/documentation.html

MATERIAL_SOURCE_GUIDE.md:226

🔗

Medium External URL 外部 URL

http://127.0.0.1:7860

QUICKSTART.md:166

🔗

Medium External URL 外部 URL

https://dashscope.aliyuncs.com/compatible-mode/v1

scripts/ai-script-generator.sh:15

🔗

Medium External URL 外部 URL

http://127.0.0.1:8000/gradio_api/call/run

scripts/auto-chapter-marker.sh:36

🔗

Medium External URL 外部 URL

https://member.bilibili.com/platform/upload/video

scripts/auto-publish.sh:258

🔗

Medium External URL 外部 URL

https://studio.youtube.com/

scripts/auto-publish.sh:297

🔗

Medium External URL 外部 URL

https://creator.douyin.com/

scripts/auto-publish.sh:327

🔗

Medium External URL 外部 URL

https://creator.xiaohongshu.com/

scripts/auto-publish.sh:357

🔗

Medium External URL 外部 URL

http://127.0.0.1:7860/gradio_api/call/generate_voice_fn

scripts/auto-voiceover.sh:40

🔗

Medium External URL 外部 URL

https://www.pexels.com/api/）

scripts/media-collector.sh:14

🔗

Medium External URL 外部 URL

https://pixabay.com/api/docs/）

scripts/media-collector.sh:15

🔗

Medium External URL 外部 URL

https://api.pexels.com/videos/search?query=$

scripts/media-collector.sh:150

🔗

Medium External URL 外部 URL

https://pixabay.com/api/videos/?key=$

scripts/media-collector.sh:255

🔗

Medium External URL 外部 URL

https://pixabay.com/music/search/$

scripts/media-collector.sh:339

🔗

Medium External URL 外部 URL

https://pixabay.com/api/music/?key=$

scripts/media-collector.sh:342

🔗

Medium External URL 外部 URL

https://freemusicarchive.org/search?quicksearch=$

scripts/media-collector.sh:389

🔗

Medium External URL 外部 URL

https://incompetech.com/music/royalty-free/music.html$

scripts/media-collector.sh:390

🔗

Medium External URL 外部 URL

https://mixkit.co/free-stock-music/

scripts/music-collector.sh:9

🔗

Medium External URL 外部 URL

https://freemusicarchive.org/

scripts/music-collector.sh:10

🔗

Medium External URL 外部 URL

https://www.bensound.com/

scripts/music-collector.sh:11

🔗

Medium External URL 外部 URL

https://mixkit.co/free-stock-music/$

scripts/music-collector.sh:91

🔗

Medium External URL 外部 URL

https://freemusicarchive.org/search/rss?quicksearch=$

scripts/music-collector.sh:137

🔗

Medium External URL 外部 URL

https://www.bensound.com/search?q=$

scripts/music-collector.sh:172

🔗

Medium External URL 外部 URL

https://studio.youtube.com/channel/UC/audio_library$

scripts/music-collector.sh:189

🔗

Medium External URL 外部 URL

https://studio.youtube.com/channel/UC/audio_library

scripts/music-collector.sh:274

🔗

Medium External URL 外部 URL

http://$(hostname

start-webui.sh:105

File Tree

29 files · 218.7 KB · 7293 lines

Shell 18f · 3862L Markdown 8f · 2696L Python 1f · 725L JSON 1f · 7L Text 1f · 3L

├─ ▾ 📁 scripts

│ ├─ 🔧 ai-script-generator.sh Shell 214L · 6.6 KB

│ ├─ 🔧 audio-normalizer.sh Shell 68L · 1.8 KB

│ ├─ 🔧 auto-broll-insert.sh Shell 373L · 10.9 KB

│ ├─ 🔧 auto-chapter-marker.sh Shell 104L · 2.8 KB

│ ├─ 🔧 auto-color-grade.sh Shell 227L · 6.5 KB

│ ├─ 🔧 auto-publish.sh Shell 385L · 9.3 KB

│ ├─ 🔧 auto-rough-cut.sh Shell 92L · 2.6 KB

│ ├─ 🔧 auto-thumbnail.sh Shell 71L · 2.1 KB

│ ├─ 🔧 auto-video-from-topic.sh Shell 267L · 6.7 KB

│ ├─ 🔧 auto-video-maker.sh Shell 528L · 19.3 KB

│ ├─ 🔧 auto-voiceover.sh Shell 87L · 2.4 KB

│ ├─ 🔧 media-collector.sh Shell 458L · 17.3 KB

│ ├─ 🔧 multi-lang-subtitles.sh Shell 135L · 3.1 KB

│ ├─ 🔧 music-collector.sh Shell 279L · 9.1 KB

│ ├─ 🔧 scene-detect.sh Shell 45L · 1.4 KB

│ ├─ 🔧 smart-tagger.sh Shell 82L · 2.4 KB

│ └─ 🔧 tts-voiceover.sh Shell 330L · 11.1 KB

├─ ▾ 📁 webui

│ ├─ 🐍 app.py Python 725L · 38.4 KB

│ └─ 📄 requirements.txt Text 3L · 42 B

├─ 📝 AUTO_PUBLISH_README.md Markdown 211L · 3.8 KB

├─ 📝 AUTO_VIDEO_FEATURES.md Markdown 262L · 5.8 KB

├─ 📝 GUIDE.md Markdown 440L · 11.2 KB

├─ 📝 MATERIAL_SOURCE_GUIDE.md Markdown 230L · 4.5 KB

├─ 📋 package.json JSON 7L · 218 B

├─ 📝 QUICKSTART.md Markdown 244L · 4.8 KB

├─ 📝 README.md Markdown 319L · 6.2 KB

├─ 📝 SKILL.md Markdown 672L · 17.6 KB

├─ 🔧 start-webui.sh Shell 117L · 3.2 KB

└─ 📝 WHATSNEW.md Markdown 318L · 7.5 KB

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`gradio`	`>=4.0.0`	pip	No	Version not pinned
`numpy`	`>=1.20.0`	pip	No	Version not pinned
`pillow`	`>=9.0.0`	pip	No	Version not pinned

Security Positives

✓ All shell commands are documented and aligned with video production features

✓ No base64-encoded payloads or obfuscated code detected

✓ No credential harvesting beyond API keys needed for services

✓ No data exfiltration or suspicious network patterns

✓ External API calls are to documented services (Pexels, Pixabay, DashScope)

✓ WebUI serves locally by default with no remote access requirements

✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env files

✓ subprocess usage is necessary and expected for video editing tools

Scan Report

Findings 2 items

File Tree

Dependencies 3 items

Security Positives