Scan Report
8 /100
reelclaw
Create, produce, and schedule UGC-style short-form video reels at scale. Full pipeline: source UGC reaction hooks from DanSUGC, analyze app demos with Gemini AI, assemble reels with ffmpeg, publish via Post-Bridge, track performance.
ReelClaw is a legitimate UGC video production skill with no executable code, containing only Markdown documentation for video editing workflows using standard tools (ffmpeg, Gemini API, DanSUGC, Post-Bridge). All behavior is fully documented.
Safe to install
Approve for use. This is a documentation-only skill with no scripts or code that could execute malicious behavior. Users should still be aware of the external service dependencies (Gemini API key required, DanSUGC/Post-Bridge MCP servers needed).
Findings 2 items
| Severity | Finding | Location |
|---|---|---|
| Low | Third-party font download without integrity verification Supply Chain | SKILL.md:86 |
| Info | Font URL legitimacy uncertainty Doc Mismatch | SKILL.md:86 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | READ | ✓ Aligned | SKILL.md:70-95 - Font installation writes to $HOME/Library/Fonts or $HOME/.local… |
| Network | READ | READ | ✓ Aligned | SKILL.md:145 - Direct video upload to Gemini API; SKILL.md:375 - curl upload to … |
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md:66-130 - Shell commands for ffmpeg installation, font download, preflig… |
| Environment | READ | READ | ✓ Aligned | SKILL.md:106-112 - Checks $GEMINI_API_KEY environment variable |
| Skill Invoke | READ | READ | ✓ Aligned | SKILL.md:12 - Uses mcp__dansugc and mcp__post-bridge MCP tools |
| Clipboard | NONE | NONE | — | No clipboard access detected |
| Browser | NONE | NONE | — | No browser automation detected |
| Database | NONE | NONE | — | No database access detected |
8 findings
Medium External URL 外部 URL
https://www.cufonfonts.com/download/font/tiktok-sans SKILL.md:86 Medium External URL 外部 URL
https://aistudio.google.com/apikey SKILL.md:112 Medium External URL 外部 URL
https://tmpfiles.org/api/v1/upload SKILL.md:375 Medium External URL 外部 URL
https://dansugc.com/api/mcp SKILL.md:598 Medium External URL 外部 URL
https://dansugc.com references/tools-setup.md:8 Medium External URL 外部 URL
https://www.post-bridge.com references/tools-setup.md:44 Medium External URL 外部 URL
https://www.post-bridge.com/api/mcp/mcp references/tools-setup.md:50 Medium External URL 外部 URL
https://app.dansugcmodels.com/api/v1/scrapecreators/ references/tools-setup.md:110 File Tree
4 files · 38.1 KB · 1123 lines Markdown 4f · 1123L
├─
▾
references
│ ├─
ffmpeg-patterns.md
Markdown
│ ├─
green-zone.md
Markdown
│ └─
tools-setup.md
Markdown
└─
SKILL.md
Markdown
Security Positives
✓ No executable code files present - skill consists entirely of Markdown documentation
✓ All shell commands are fully documented with clear purpose (ffmpeg, font setup, preflight checks)
✓ GEMINI_API_KEY handling is explicitly documented with redaction policy (never expose in output)
✓ No credential harvesting or sensitive file access patterns detected
✓ No obfuscated code, base64 payloads, or anti-analysis techniques
✓ No persistence mechanisms (cron, startup scripts, backdoors) found
✓ No data exfiltration endpoints or C2 communication patterns
✓ MCP tool usage is declared and scoped to specific external services
✓ Video upload uses legitimate third-party services (tmpfiles.org, Google Gemini API)
✓ No supply chain risk from unpinned dependencies - no package managers used
✓ All behavior documented inline - no gap between declared and actual functionality