Skill Trust Decision

dygod-movies

Name: dygod-movies Trust Review Report
Item: dygod-movies
Rating: 55
Author: ClawSafe

Movie crawler skill with legitimate functionality but multiple security misconfigurations including hardcoded credentials in documentation and code, unpinned dependencies, and unauthenticated API endpoints.

Install decision first Source: Manual upload Scanned: Apr 5, 2026

Files 8

Artifacts 138

Violations 0

Findings 5

Most direct threat evidence

High Credential Theft

Hardcoded NAS credentials in documentation

SKILL.md contains plaintext credentials for Synology NAS: account=xiaoai, passwd=Xx654321 at 192.168.123.223:5000

SKILL.md:120

Why this conclusion was reached

2/4 dimensions flagged

Pass

Declared vs actual capability

Declared resources and inferred behavior are broadly aligned.

Block

Hidden execution and egress

1 high-risk artifacts or egress signals were extracted.

Block

Attack chain and severe findings

The report includes 0 attack-chain steps and 2 severe findings.

Review

Dependencies and supply chain hygiene

5 dependency or supply-chain issues need attention.

What drove the risk score up

Hardcoded credentials in SKILL.md +15

Synology NAS password 'Xx654321' exposed in documentation examples

Hardcoded credentials in code +15

scripts/dygod_crawler.py:305-308 contains plaintext credentials

Unpinned dependencies +10

requirements.txt uses '*' version specifiers for all packages

No authentication on FastAPI +5

service/main.py exposes download endpoint without auth

Most important evidence

High Credential Theft

Hardcoded NAS credentials in documentation

SKILL.md contains plaintext credentials for Synology NAS: account=xiaoai, passwd=Xx654321 at 192.168.123.223:5000

SKILL.md:120

Remove credentials from documentation. Use environment variables or configuration files for credentials.

High Credential Theft

Hardcoded NAS credentials in source code

scripts/dygod_crawler.py contains hardcoded Synology credentials at module level

scripts/dygod_crawler.py:305

Move credentials to environment variables or secure config. Use os.getenv('SYNOLOGY_PASS') pattern.

Medium Supply Chain

Unpinned Python dependencies

requirements.txt uses '*' for all versions, allowing automatic upgrades that could introduce vulnerabilities

service/requirements.txt:1

Pin exact versions: requests==2.32.3, beautifulsoup4==4.12.3, etc.

Medium Priv Escalation

Unauthenticated FastAPI endpoints

The /download and other endpoints have no authentication, allowing anyone to trigger downloads

service/main.py:170

Add authentication middleware or API key validation to protect endpoints.

Low Doc Mismatch

Insecure example in documentation

SKILL.md examples use curl.exe with credentials in URL query parameters, promoting insecure patterns

SKILL.md:132

Document secure credential handling and recommend environment-based configuration.

Declared capability vs actual capability

Filesystem Pass

Declared READ

→

Inferred WRITE

SKILL.md:56 cache file writes

Network Pass

Declared READ

→

Inferred READ

scripts/dygod_crawler.py:73-84 HTTP GET requests

Shell Pass

Declared NONE

→

Inferred NONE

No subprocess/shell execution found

Environment Pass

Declared NONE

→

Inferred NONE

No environment variable access

Suspicious artifacts and egress

High IP Address

120.0.0.0

scripts/dygod_crawler.py:40

Medium External URL

http://192.168.123.223:5000/webapi/entry.cgi?api=SYNO.API.Auth&version=6&method=login&account=xiaoai&passwd=Xx654321&session=DownloadStation&format=sid

SKILL.md:120

Medium External URL

http://192.168.123.223:5000/webapi/DownloadStation/task.cgi

SKILL.md:132

Medium External URL

http://192.168.123.223:5000/webapi/DownloadStation/task.cgi?api=SYNO.DownloadStation.Task&version=1&method=list&additional=transfer&_sid=YOUR_SID

SKILL.md:161

Medium External URL

http://192.168.123.223:5000/webapi/DownloadStation/task.cgi?api=SYNO.DownloadStation.Task&version=1&method=delete&id=TASK_ID&force_complete=false&_sid=YOUR_SID

SKILL.md:167

Medium External URL

http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd

data/gndy_index.html:1

Medium External URL

http://www.w3.org/1999/xhtml

data/gndy_index.html:2

Medium External URL

http://www.dygod.net

data/gndy_index.html:43

Medium External URL

http://www.dygod.net/

data/gndy_index.html:44

Medium External URL

https://dygod.net/html/gndy/dyzz/20260307/131013.html

data/movies_cache.json:6

Medium External URL

https://dygod.net/html/gndy/dyzz/20101019/28863.html

data/movies_cache.json:34

Medium External URL

https://dygod.net/html/gndy/dyzz/20070612/2906.html

data/movies_cache.json:39

Dependencies and supply chain

Package	Version	Source	Known vuln	Notes
requests	`>=2.32.0`	pip	No	Version not pinned
beautifulsoup4	`>=4.12.0`	pip	No	Version not pinned
fastapi	`>=0.115.0`	pip	No	Version not pinned
uvicorn	`>=0.32.0`	pip	No	Version not pinned
httpx	`>=0.27.0`	pip	No	Version not pinned

File composition

8 files · 4876 lines

HTML 2 files · 1955 linesJSON 2 files · 1712 linesPython 2 files · 1000 linesMarkdown 1 files · 204 linesText 1 files · 5 lines

Files of concern · 8

data/tv_index.html HTML · 1183 lines

http://www.dygod.net/html/3gp/3gpmovie/

data/gndy_index.html HTML · 772 lines

http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd · http://www.w3.org/1999/xhtml · http://www.dygod.net · http://www.dygod.net/

data/movies_cache.json JSON · 1258 lines

https://dygod.net/html/gndy/dyzz/20260307/131013.html · https://dygod.net/html/gndy/dyzz/20101019/28863.html · https://dygod.net/html/gndy/dyzz/20070612/2906.html · https://dygod.net/html/gndy/dyzz/20130507/42183.html · https://dygod.net/html/gndy/dyzz/20160926/108530.html · https://dygod.net/html/gndy/dyzz/20110304/31168.html · https://dygod.net/html/gndy/dyzz/20260313/131092.html · https://dygod.net/html/gndy/dyzz/20090208/16879.html · https://dygod.net/html/gndy/dyzz/20260313/131091.html · https://dygod.net/html/gndy/dyzz/20260313/131087.html · https://dygod.net/html/gndy/dyzz/20260313/131085.html · https://dygod.net/html/gndy/dyzz/20260313/131086.html · https://dygod.net/html/gndy/dyzz/20260313/131089.html · https://dygod.net/html/gndy/dyzz/20210612/115133.html · https://dygod.net/html/gndy/dyzz/20100105/23821.html · https://dygod.net/html/gndy/dyzz/20260312/131083.html · https://dygod.net/html/gndy/dyzz/20260312/131082.html · https://dygod.net/html/gndy/dyzz/20141229/105608.html · https://dygod.net/html/gndy/dyzz/20260312/131077.html · https://dygod.net/html/gndy/dyzz/20260312/131076.html · https://dygod.net/html/gndy/dyzz/20260312/131075.html · https://dygod.net/html/gndy/dyzz/20260312/131074.html · https://dygod.net/html/gndy/dyzz/20260312/131073.html · https://dygod.net/html/gndy/dyzz/20260312/131066.html · https://dygod.net/html/gndy/dyzz/20260312/131067.html · https://dygod.net/html/gndy/dyzz/20260312/131068.html · https://dygod.net/html/gndy/dyzz/20260312/131069.html · https://dygod.net/html/gndy/dyzz/20150806/106691.html · https://dygod.net/html/gndy/dyzz/20090301/17224.html · https://dygod.net/html/gndy/dyzz/20260303/130943.html · https://dygod.net/html/gndy/dyzz/20131206/103704.html · https://dygod.net/html/gndy/dyzz/20140929/105156.html · https://dygod.net/html/gndy/dyzz/20260227/130889.html · https://dygod.net/html/gndy/dyzz/20260311/131062.html · https://dygod.net/html/gndy/dyzz/20070901/5368.html · https://dygod.net/html/gndy/dyzz/20090727/20542.html · https://dygod.net/html/gndy/dyzz/20260311/131059.html · https://dygod.net/html/gndy/dyzz/20260311/131060.html · https://dygod.net/html/gndy/dyzz/20260310/131049.html · https://dygod.net/html/gndy/dyzz/20260310/131055.html · https://dygod.net/html/gndy/dyzz/20070814/4857.html · https://dygod.net/html/gndy/dyzz/20260310/131050.html · https://dygod.net/html/gndy/dyzz/20260310/131051.html · https://dygod.net/html/gndy/dyzz/20081007/14599.html · https://dygod.net/html/gndy/dyzz/20260309/131042.html · https://dygod.net/html/gndy/dyzz/20260310/131058.html · https://dygod.net/html/gndy/dyzz/20190928/112428.html · https://dygod.net/html/gndy/dyzz/20260309/131040.html · https://dygod.net/html/gndy/dyzz/20260309/131038.html · https://dygod.net/html/gndy/dyzz/20260309/131037.html

scripts/dygod_crawler.py Python · 775 lines

Hardcoded NAS credentials in source code · 120.0.0.0 · https://dygod.net/html/gndy/dyzz/ · https://dygod.net

data/tv_cache.json JSON · 454 lines

https://dygod.net/html/tv/hytv/20251213/129594.html · https://dygod.net/html/tv/hytv/20260228/130900.html · https://dygod.net/html/tv/hytv/20260309/131041.html · https://dygod.net/html/tv/hytv/20260312/131084.html · https://dygod.net/html/tv/hytv/20260312/131080.html · https://dygod.net/html/tv/hytv/20260312/131079.html · https://dygod.net/html/tv/hytv/20260312/131081.html · https://dygod.net/html/tv/hytv/20260308/131032.html · https://dygod.net/html/tv/hytv/20260312/131072.html · https://dygod.net/html/tv/hytv/20260306/131003.html · https://dygod.net/html/tv/hytv/20260226/130866.html · https://dygod.net/html/tv/hytv/20260310/131056.html · https://dygod.net/html/tv/hytv/20260226/130867.html · https://dygod.net/html/tv/hytv/20260305/130972.html · https://dygod.net/html/tv/hytv/20260307/131009.html · https://dygod.net/html/tv/hytv/20260222/130837.html · https://dygod.net/html/tv/hytv/20260312/131071.html · https://dygod.net/html/tv/hytv/20260224/130858.html · https://dygod.net/html/tv/hytv/20260121/130360.html · https://dygod.net/html/tv/hytv/20260121/130362.html · https://dygod.net/html/tv/hytv/20260311/131065.html · https://dygod.net/html/tv/hytv/20260304/130958.html · https://dygod.net/html/tv/hytv/20260228/130905.html · https://dygod.net/html/tv/hytv/20251117/129222.html · https://dygod.net/html/tv/hytv/20251014/128653.html · https://dygod.net/html/tv/rihantv/20260205/130589.html · https://dygod.net/html/tv/rihantv/20260205/130590.html · https://dygod.net/html/tv/rihantv/20260122/130363.html · https://dygod.net/html/tv/rihantv/20260116/130267.html · https://dygod.net/html/tv/rihantv/20260122/130376.html · https://dygod.net/html/tv/rihantv/20260115/130257.html · https://dygod.net/html/tv/rihantv/20260109/130100.html · https://dygod.net/html/tv/rihantv/20260304/130961.html · https://dygod.net/html/tv/rihantv/20260204/130558.html · https://dygod.net/html/tv/rihantv/20260114/130238.html · https://dygod.net/html/tv/rihantv/20260107/130067.html · https://dygod.net/html/tv/rihantv/20260114/130237.html · https://dygod.net/html/tv/rihantv/20260228/130899.html · https://dygod.net/html/tv/rihantv/20260120/130339.html · https://dygod.net/html/tv/rihantv/20260113/130217.html · https://dygod.net/html/tv/rihantv/20260113/130216.html · https://dygod.net/html/tv/rihantv/20260113/130215.html · https://dygod.net/html/tv/rihantv/20260202/130533.html · https://dygod.net/html/tv/rihantv/20260106/130038.html · https://dygod.net/html/tv/rihantv/20260112/130193.html · https://dygod.net/html/tv/rihantv/20260113/130198.html · https://dygod.net/html/tv/rihantv/20260301/130924.html · https://dygod.net/html/tv/rihantv/20260202/130539.html · https://dygod.net/html/tv/rihantv/20260118/130314.html · https://dygod.net/html/tv/rihantv/20260217/130767.html · https://dygod.net/html/tv/oumeitv/20251021/128747.html · https://dygod.net/html/tv/oumeitv/20260116/130279.html · https://dygod.net/html/tv/oumeitv/20260306/130995.html · https://dygod.net/html/tv/oumeitv/20260106/130033.html · https://dygod.net/html/tv/oumeitv/20260312/131070.html · https://dygod.net/html/tv/oumeitv/20260214/130705.html · https://dygod.net/html/tv/oumeitv/20250918/128200.html · https://dygod.net/html/tv/oumeitv/20260110/130121.html · https://dygod.net/html/tv/oumeitv/20260130/130478.html · https://dygod.net/html/tv/oumeitv/20251023/128788.html · https://dygod.net/html/tv/oumeitv/20260109/130101.html · https://dygod.net/html/tv/oumeitv/20260122/130364.html · https://dygod.net/html/tv/oumeitv/20260305/130969.html · https://dygod.net/html/tv/oumeitv/20251026/128817.html · https://dygod.net/html/tv/oumeitv/20260310/131054.html · https://dygod.net/html/tv/oumeitv/20251223/129769.html · https://dygod.net/html/tv/oumeitv/20260225/130861.html · https://dygod.net/html/tv/oumeitv/20260311/131063.html · https://dygod.net/html/tv/oumeitv/20201102/113893.html · https://dygod.net/html/tv/oumeitv/20251016/128692.html · https://dygod.net/html/tv/oumeitv/20260302/130939.html · https://dygod.net/html/tv/oumeitv/20260304/130960.html · https://dygod.net/html/tv/oumeitv/20260309/131047.html · https://dygod.net/html/tv/oumeitv/20260309/131048.html · https://dygod.net/html/tv/oumeitv/20251015/128675.html

service/main.py Python · 225 lines

Unauthenticated FastAPI endpoints · https://www.dygod.net/html/tv/

SKILL.md Markdown · 204 lines

Hardcoded NAS credentials in documentation · Insecure example in documentation · http://192.168.123.223:5000/webapi/entry.cgi?api=SYNO.API.Auth&version=6&method=login&account=xiaoai&passwd=Xx654321&session=DownloadStation&format=sid · http://192.168.123.223:5000/webapi/DownloadStation/task.cgi · http://192.168.123.223:5000/webapi/DownloadStation/task.cgi?api=SYNO.DownloadStation.Task&version=1&method=list&additional=transfer&_sid=YOUR_SID · http://192.168.123.223:5000/webapi/DownloadStation/task.cgi?api=SYNO.DownloadStation.Task&version=1&method=delete&id=TASK_ID&force_complete=false&_sid=YOUR_SID

service/requirements.txt Text · 5 lines

Unpinned Python dependencies

Security positives

No subprocess/shell execution capabilities

No credential harvesting from system

No base64 obfuscation or anti-analysis techniques

No attempts to access ~/.ssh, ~/.aws, or other sensitive paths

No external C2 communication or data exfiltration

Clear documentation of intended web scraping functionality

Uses standard libraries (requests, BeautifulSoup) for legitimate scraping