扫描报告
8 /100
reelclaw
Create, produce, and schedule UGC-style short-form video reels at scale. Full pipeline: source UGC reaction hooks from DanSUGC, analyze app demos with Gemini AI, assemble reels with ffmpeg, publish via Post-Bridge, track performance.
ReelClaw is a legitimate UGC video production skill with no executable code, containing only Markdown documentation for video editing workflows using standard tools (ffmpeg, Gemini API, DanSUGC, Post-Bridge). All behavior is fully documented.
可以安装
Approve for use. This is a documentation-only skill with no scripts or code that could execute malicious behavior. Users should still be aware of the external service dependencies (Gemini API key required, DanSUGC/Post-Bridge MCP servers needed).
安全发现 2 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Third-party font download without integrity verification 供应链 | SKILL.md:86 |
| 提示 | Font URL legitimacy uncertainty 文档欺骗 | SKILL.md:86 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | READ | READ | ✓ 一致 | SKILL.md:70-95 - Font installation writes to $HOME/Library/Fonts or $HOME/.local… |
| 网络访问 | READ | READ | ✓ 一致 | SKILL.md:145 - Direct video upload to Gemini API; SKILL.md:375 - curl upload to … |
| 命令执行 | WRITE | WRITE | ✓ 一致 | SKILL.md:66-130 - Shell commands for ffmpeg installation, font download, preflig… |
| 环境变量 | READ | READ | ✓ 一致 | SKILL.md:106-112 - Checks $GEMINI_API_KEY environment variable |
| 技能调用 | READ | READ | ✓ 一致 | SKILL.md:12 - Uses mcp__dansugc and mcp__post-bridge MCP tools |
| 剪贴板 | NONE | NONE | — | No clipboard access detected |
| 浏览器 | NONE | NONE | — | No browser automation detected |
| 数据库 | NONE | NONE | — | No database access detected |
8 项发现
中危 外部 URL 外部 URL
https://www.cufonfonts.com/download/font/tiktok-sans SKILL.md:86 中危 外部 URL 外部 URL
https://aistudio.google.com/apikey SKILL.md:112 中危 外部 URL 外部 URL
https://tmpfiles.org/api/v1/upload SKILL.md:375 中危 外部 URL 外部 URL
https://dansugc.com/api/mcp SKILL.md:598 中危 外部 URL 外部 URL
https://dansugc.com references/tools-setup.md:8 中危 外部 URL 外部 URL
https://www.post-bridge.com references/tools-setup.md:44 中危 外部 URL 外部 URL
https://www.post-bridge.com/api/mcp/mcp references/tools-setup.md:50 中危 外部 URL 外部 URL
https://app.dansugcmodels.com/api/v1/scrapecreators/ references/tools-setup.md:110 目录结构
4 文件 · 38.1 KB · 1123 行 Markdown 4f · 1123L
├─
▾
references
│ ├─
ffmpeg-patterns.md
Markdown
│ ├─
green-zone.md
Markdown
│ └─
tools-setup.md
Markdown
└─
SKILL.md
Markdown
安全亮点
✓ No executable code files present - skill consists entirely of Markdown documentation
✓ All shell commands are fully documented with clear purpose (ffmpeg, font setup, preflight checks)
✓ GEMINI_API_KEY handling is explicitly documented with redaction policy (never expose in output)
✓ No credential harvesting or sensitive file access patterns detected
✓ No obfuscated code, base64 payloads, or anti-analysis techniques
✓ No persistence mechanisms (cron, startup scripts, backdoors) found
✓ No data exfiltration endpoints or C2 communication patterns
✓ MCP tool usage is declared and scoped to specific external services
✓ Video upload uses legitimate third-party services (tmpfiles.org, Google Gemini API)
✓ No supply chain risk from unpinned dependencies - no package managers used
✓ All behavior documented inline - no gap between declared and actual functionality