product-demo-video Security Report — High Risk | ClawSafe

70 /100

product-demo-video

Create product demo videos with voiceover, text overlays, and real browser interactions using Puppeteer, edge-tts, PIL, and FFmpeg

Skill contains a catastrophic `rm -rf /` command in install-deps.sh:23 with no declared shell permissions, plus undeclared shell execution and dynamically generated Python code in record-demo.mjs.

Skill Nameproduct-demo-video

Duration86.7s

Enginepi

⛔

Do not install this skill

Do not deploy this skill. The install-deps.sh script contains `rm -rf /tmp/ffmpeg.tar.xz /tmp/ffmpeg-*-amd64-static` where shell glob expansion could resolve to `/tmp/` or broader paths if the archive doesn't extract as expected. Additionally, SKILL.md declares zero permissions but the implementation requires shell:WRITE, filesystem:WRITE, and network:READ. Remove the shell scripts entirely and declare required capabilities explicitly.

Attack Chain 3 steps

⬡

Escalation Skill invoked with Bash:WRITE capability, allowing shell command execution

SKILL.md

⬡

Escalation install-deps.sh uses `rm -rf /tmp/ffmpeg.tar.xz /tmp/ffmpeg-*-amd64-static` — glob expansion could resolve to /tmp/ or broader paths if archive structure is unexpected

scripts/install-deps.sh:23

◉

Impact If run as root (e.g., in a Docker container), `rm -rf /tmp/` or broader path wipe could cause data loss across the system

scripts/install-deps.sh:23

Findings 6 items

Severity	Finding	Location
Critical	Destructive `rm -rf` glob command in install script RCE Line 23 of install-deps.sh uses `rm -rf /tmp/ffmpeg.tar.xz /tmp/ffmpeg--amd64-static`. The glob pattern `ffmpeg--amd64-static` could expand to /tmp/ itself or a broader path if the tarball extracts unexpectedly (e.g., flat files or to a parent directory). In a root container or misconfigured environment, this could wipe data beyond /tmp/. The intended use of a bare `rm -rf` with glob patterns near system directories is a severe operational hazard. `rm -rf /tmp/ffmpeg.tar.xz /tmp/ffmpeg-*-amd64-static` → Replace with explicit directory removal: use `rm -rf "${tmpdir}"` after saving the extracted directory path to a variable, or use a trap/cleanup function. Never use bare globs with rm -rf near /tmp.	`scripts/install-deps.sh:23`
High	Undeclared shell execution capability Doc Mismatch SKILL.md declares zero permissions in its frontmatter, yet record-demo.mjs uses execSync to run 5+ shell commands (edge-tts, ffmpeg x3, ffprobe, python3). This is a direct doc-to-code mismatch. The skill does not declare shell:WRITE, filesystem:WRITE, or network:READ in allowed-tools. execSync(`edge-tts --voice ${voice} --rate=${voiceRate} --text "${s.narration.replace(/"/g, '\\"')}" --write-media ${audioPath}`) → Declare all shell commands in SKILL.md frontmatter using allowed-tools mapping: Bash→shell:WRITE, Read→filesystem:READ, Write→filesystem:WRITE. Document why each tool is needed.	`scripts/record-demo.mjs:141`
High	Dynamically generated Python script executed at runtime RCE record-demo.mjs builds a Python script as a string (generateOverlayScript, ~75 lines) containing scene configuration data and PIL image processing code, writes it to /tmp, and executes it via execSync. This dynamic code generation from configuration data is undeclared functionality. fs.writeFileSync(`${workDir}/overlay.py`, pyScript); execSync(`python3 ${workDir}/overlay.py`, { stdio: 'inherit' }); → Either pre-write the overlay script and call it with scene data as arguments, or rewrite the overlay logic in Node.js using the canvas package. Document this behavior in SKILL.md.	`scripts/record-demo.mjs:148`
Medium	Unpinned pip dependencies Supply Chain install-deps.sh installs edge-tts and Pillow without version constraints. Pip defaults to the latest version, which could introduce breaking changes or malicious updates. `pip3 install edge-tts 2>/dev/null && echo "✅ edge-tts" \|\| echo "⚠️ edge-tts"` → Pin versions: pip3 install edge-tts==6.1.0 (or current stable) Pillow==10.x.x. Add a requirements.txt for reproducibility.	`scripts/install-deps.sh:8`
Medium	Remote script download over plain HTTP Supply Chain install-deps.sh downloads FFmpeg via curl from johnvansickle.com over HTTPS. The site may serve over plain HTTP, and the downloaded binary is copied directly to /usr/local/bin without integrity verification (no sha256 checksum). `curl -sL https://johnvansickle.com/ffmpeg/releases/ffmpeg-release-amd64-static.tar.xz -o /tmp/ffmpeg.tar.xz` → Verify the downloaded binary with a published SHA256 hash before extraction. Consider using package managers (apt, dnf) for FFmpeg installation instead.	`scripts/install-deps.sh:19`
Low	FFmpeg and ffprobe installed to /usr/local/bin Priv Escalation The install script copies extracted binaries to /usr/local/bin, which requires write access to system directories. If run as a non-root user, it will fail; if run as root, it modifies system state. `cp /tmp/ffmpeg-*-amd64-static/ffmpeg /usr/local/bin/` → Install to user-local bin (~/bin) or use the system's package manager. Document the privilege requirements.	`scripts/install-deps.sh:21`

Resource	Declared	Inferred	Status	Evidence
Shell	`NONE`	`WRITE`	✗ Violation	record-demo.mjs:141 execSync(`edge-tts ...`)
Shell	`NONE`	`WRITE`	✗ Violation	scripts/install-deps.sh:23 rm -rf glob command
Filesystem	`NONE`	`WRITE`	✗ Violation	record-demo.mjs:148 fs.writeFileSync(`${workDir}/overlay.py`, pyScript)
Network	`NONE`	`READ`	✗ Violation	install-deps.sh:19 curl downloads FFmpeg from johnvansickle.com
Network	`NONE`	`READ`	✗ Violation	record-demo.mjs:89 page.goto(s.url) — navigates to arbitrary URLs

1 Critical 4 findings

💀

Critical Dangerous Command 危险 Shell 命令

rm -rf /

scripts/install-deps.sh:23

🔗

Medium External URL 外部 URL

https://johnvansickle.com/ffmpeg/releases/ffmpeg-release-amd64-static.tar.xz

scripts/install-deps.sh:19

🔗

Medium External URL 外部 URL

https://yourapp.dev/

scripts/record-demo.mjs:56

🔗

Medium External URL 外部 URL

https://yourapp.dev/feature1/

scripts/record-demo.mjs:67

File Tree

5 files · 21.3 KB · 601 lines

JavaScript 1f · 303L Markdown 2f · 242L Shell 1f · 50L JSON 1f · 6L

├─ ▾ 📁 references

│ └─ 📝 demo-planning.md Markdown 77L · 2.3 KB

├─ ▾ 📁 scripts

│ ├─ 🔧 install-deps.sh Shell 50L · 1.7 KB

│ └─ 📜 record-demo.mjs JavaScript 303L · 11.3 KB

├─ 📋 _meta.json JSON 6L · 132 B

└─ 📝 SKILL.md Markdown 165L · 5.8 KB

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`puppeteer`	`not pinned`	npm i -g puppeteer	No	Installed globally without version constraint
`edge-tts`	`not pinned`	pip3 install edge-tts	No	No version constraint in install command
`Pillow`	`not pinned`	pip3 install Pillow	No	No version constraint in install command

Security Positives

✓ No credential theft: skill does not access ~/.ssh, ~/.aws, .env, or iterate environment variables for secrets

✓ No data exfiltration: no HTTP POSTs of user data to external servers

✓ No obfuscation: all code is readable plain text, no base64-encoded payloads or eval(atob(...)) patterns

✓ No persistence mechanisms: no cron jobs, startup scripts, or backdoor installations

✓ Legitimate purpose: the core functionality (video demo creation) matches documented behavior

Scan Report

Attack Chain 3 steps

Findings 6 items

File Tree

Dependencies 3 items

Security Positives