AI Content Repurposer Security Report — Trusted | ClawSafe

5 /100

AI Content Repurposer

Transform long-form content into multiple formats: YouTube→TikTok/Shorts, Blog→Twitter/LinkedIn, Podcast→Transcripts/Summaries

The AI Content Repurposer skill is a straightforward content transformation tool with no malicious behavior. All operations are declared, legitimate, and confined to their stated purpose.

Skill NameAI Content Repurposer

Duration34.9s

Enginepi

✓

Safe to install

No action needed. The skill is safe to use.

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	bin/cli.js: fs.readFileSync() for input files; fs.writeFileSync() only for -o ou…
Network	`READ`	`READ`	✓ Aligned	src/converter.js: axios.get() for blog URLs; axios.post() to api.openai.com for …
Shell	`NONE`	`NONE`	—	No subprocess, exec, or shell command invocation found anywhere in the codebase
Environment	`READ`	`READ`	✓ Aligned	src/converter.js:15 — process.env.OPENAI_API_KEY accessed for API key, used only…
Skill Invoke	`NONE`	`NONE`	—	No inter-skill invocation detected
Clipboard	`NONE`	`NONE`	—	No clipboard access found
Browser	`NONE`	`NONE`	—	No browser automation detected
Database	`NONE`	`NONE`	—	No database access found

1 High 9 findings

🔑

High API Key 疑似硬编码凭证

apiKey: 'your-openai-api-key'

SKILL.md:257

🔗

Medium External URL 外部 URL

https://yourblog.com/post

QUICKSTART.md:41

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/version-1.0.0-blue

README.md:7

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/license-MIT-green

README.md:8

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/node-%3E%3D18.0.0-brightgreen

README.md:9

🔗

Medium External URL 外部 URL

https://clawhub.ai/skills/ai-content-repurposer

README.md:294

🔗

Medium External URL 外部 URL

https://www.youtube.com/watch?v=dQw4w9WgXcQ

test/test.js:30

🔗

Medium External URL 外部 URL

https://youtu.be/dQw4w9WgXcQ

test/test.js:37

📧

Info Email 邮箱地址

[email protected]

README.md:296

File Tree

13 files · 84.3 KB · 2900 lines

Markdown 5f · 1346L JavaScript 3f · 778L JSON 4f · 749L Text 1f · 27L

├─ ▾ 📁 bin

│ └─ 📜 cli.js JavaScript 327L · 10.8 KB

├─ ▾ 📁 examples

│ ├─ 📋 batch-config.json JSON 33L · 864 B

│ └─ 📄 sample-transcript.txt Text 27L · 1.8 KB

├─ ▾ 📁 src

│ └─ 📜 converter.js JavaScript 363L · 11.0 KB

├─ ▾ 📁 test

│ └─ 📜 test.js JavaScript 88L · 2.5 KB

├─ 📋 clawhub.json JSON 65L · 1.6 KB

├─ 📝 COMPLETION_REPORT.md Markdown 337L · 9.3 KB

├─ 📝 LAUNCH_CHECKLIST.md Markdown 179L · 4.9 KB

├─ 📋 package-lock.json JSON 609L · 21.3 KB

├─ 📋 package.json JSON 42L · 1003 B

├─ 📝 QUICKSTART.md Markdown 166L · 3.8 KB

├─ 📝 README.md Markdown 327L · 6.6 KB

└─ 📝 SKILL.md Markdown 337L · 8.7 KB

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`axios`	`^1.6.0`	npm	No	Standard HTTP client, used only for declared API calls
`cheerio`	`^1.0.0-rc.12`	npm	No	HTML parser for blog content extraction
`commander`	`^11.0.0`	npm	No	CLI argument parsing

Security Positives

✓ No shell command execution, subprocess, or os.system calls anywhere in the codebase

✓ No base64 encoding, eval(), or dynamic code execution

✓ No credential harvesting — OPENAI_API_KEY is read only for the declared OpenAI API call

✓ No network connections to external IPs beyond the documented api.openai.com endpoint

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env files)

✓ No remote script download or execution (no curl|bash or wget|sh patterns)

✓ No hidden HTML instructions or steganographic payloads

✓ Network requests limited to declared purposes: blog fetching and OpenAI API

✓ Dependencies (axios, cheerio, commander) are standard and version-pinned

✓ File I/O is restricted to user-specified input files and output paths via CLI flags

Scan Report

File Tree

Dependencies 3 items

Security Positives