video-quick-gen Security Report — Trusted | ClawSafe

10 /100

video-quick-gen

营销视频生成服务，通过小念AI的视频模块快速生成营销视频

Video generation skill with straightforward HTTP API calls and file download functionality, fully aligned with declared documentation.

Skill Namevideo-quick-gen

Duration43.4s

Enginepi

✓

Safe to install

No action required. Consider rotating the hardcoded API token periodically as a best practice.

Findings 2 items

Severity	Finding	Location
Low	Environment variable access not documented Sensitive Access The script reads DASHBOARD_TOKEN, DASHBOARD_PHONE, DASHBOARD_PASSWORD environment variables for authentication, but SKILL.md only mentions 'built-in token, no configuration needed'. `token = os.getenv("DASHBOARD_TOKEN") or DEFAULT_TOKEN` → Document optional environment variables in SKILL.md for transparency	`scripts/video_quick_gen.py:80`
Low	Hardcoded API token in source Credential Theft A default API token is embedded in the source code at line 75. While this is a service token (not user credentials), hardcoding tokens is a poor security practice. `DEFAULT_TOKEN = "atk_ajhhuxTyHciMIxZQ_vt_boqVeG_zTr4Ix9REWuVBXSc"` → Use only environment variable for token; remove default from source or document it clearly	`scripts/video_quick_gen.py:75`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	SKILL.md declares video output; scripts/video_quick_gen.py:178 _download() write…
Network	`READ`	`READ`	✓ Aligned	SKILL.md declares API base URL; code makes POST/GET to /video/script/gen, /video…
Shell	`NONE`	`NONE`	—	No subprocess or shell execution found
Environment	`NONE`	`READ`	✓ Aligned	Lines 80-87 read DASHBOARD_TOKEN, DASHBOARD_PHONE, DASHBOARD_PASSWORD env vars -…
Skill Invoke	`NONE`	`NONE`	—	No skill invocation found
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser access
Database	`NONE`	`NONE`	—	No database access

2 findings

🔗

Medium External URL 外部 URL

https://xiaonian.cc

SKILL.md:12

🔗

Medium External URL 外部 URL

https://xiaonian.cc/employee-console/dashboard/v2/api

SKILL.md:13

3 files · 11.4 KB · 342 lines

Python 1f · 252L Markdown 2f · 90L

├─ ▾ 📁 references

│ └─ 📝 video-api.md Markdown 33L · 682 B

├─ ▾ 📁 scripts

│ └─ 🐍 video_quick_gen.py Python 252L · 9.1 KB

└─ 📝 SKILL.md Markdown 57L · 1.6 KB

Package	Version	Source	Known Vulns	Notes
`urllib (stdlib)`	`built-in`	Python stdlib	No	No third-party dependencies

✓ No shell execution or arbitrary command execution

✓ No obfuscation (no base64, eval, or anti-analysis techniques)

✓ No credential harvesting beyond API authentication

✓ No data exfiltration or C2 communication

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No download/execution of remote scripts

✓ Standard library only (urllib) - no third-party dependencies

✓ HTTP requests limited to declared API endpoints

✓ File write limited to explicit --out parameter with user-controlled path

✓ Clear workflow: script gen → task create → poll state