โ Back to Skills Marketplace
๐ฌ ่งๅฝฑๅฐ็ฎกๅฎถ
by
duzhilei951
ยท GitHub โ
ยท v1.0.0
421
Downloads
1
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install movie-butler
Description
ๆดๅTMDBไธEmby/Plex๏ผๆไพ็ตๅฝฑๆฅ่ฏขใๅชไฝๅบ็ฎก็ใ่งๅฝฑ่ฎฐๅฝๅไธชๆงๅๆจ่ๆๅกใ
Usage Guidance
What you should consider before installing:
- Inconsistency: The registry advertises no required env vars but the package and README expect TMDB, Emby (URL/API key/user id) and optionally Plex. Confirm with the author which credentials are actually needed.
- Hard-coded keys: index.js and SKILL.md include default API keys (TMDB and several OMDb keys). These may be placeholders or leaked keys โ they are poor practice and could be abused. Do not rely on embedded keys; prefer to put your own API keys in a controlled location.
- .env path risk: The code uses dotenv with path.join(__dirname, '../../../.env') and SKILL.md instructs putting credentials in a user-specific .env path. That can cause the skill to load environment variables outside the skill folder (potentially other secrets). Before running, edit the code to point to a safe, explicit config path you control, or run the skill in a sandboxed environment.
- Prompt-injection marker: A unicode-control-chars pattern was found in SKILL.md. Treat documentation and prompts carefully; validate that runtime prompts and instructions haven't been tampered with.
- Practical mitigations: (1) Review and remove any hard-coded keys; replace with explicit required env variables and clear docs. (2) Modify dotenv path to an approved, explicit file (not '../../../.env'). (3) Run the code in an isolated VM/container and monitor network calls to confirm only TMDB/Emby/Plex endpoints are contacted. (4) If you don't trust the source, don't provide any real API keys or sensitive service tokens until code is audited or the author provides a signed/official release.
If you want, I can: point to the exact lines with hard-coded keys and dotenv usage, suggest a safe code change to use process.env only (no default keys), or produce a checklist to audit network behavior before trusting this skill.
Capability Analysis
Type: OpenClaw Skill
Name: movie-butler
Version: 1.0.0
The skill is classified as suspicious primarily due to the presence of hardcoded default API keys for TMDB and OMDb, and a default Emby User ID within `index.js`. While these are likely intended for fallback or demonstration purposes, hardcoding any API keys or user IDs is a security vulnerability, as it could lead to exposure if these default credentials are compromised or misused. All network calls are directed to legitimate services (TMDB, OMDb) or a user-configured local Emby server, and file system operations are confined to the skill's `movie-memory.md` file, showing no signs of data exfiltration or unauthorized access.
Capability Assessment
Purpose & Capability
Registry metadata claims no required environment variables, but package.json, SKILL.md and index.js clearly expect TMDB, Emby (URL/API key/user id) and optional Plex credentials. The code also embeds default API keys and local Emby URLs. This is an internal inconsistency: either the registry metadata is wrong or the skill is asking for secrets it didn't declare.
Instruction Scope
SKILL.md instructs storing credentials in a specific absolute path (C:\Users\yz207\.openclaw\.env) and index.js/feishu-card.js use dotenv to load ../../../.env. The runtime instructions and code read/write the local movie-memory.md file and call TMDB/OMDb/Emby/Plex APIs (expected), but loading an outer .env path can cause the skill to read unrelated environment values. SKILL.md also contains a detected unicode-control-chars prompt-injection pattern.
Install Mechanism
No install spec (instruction-only) and no external downloads โ that's lower risk. However the package includes executable JS files (index.js, feishu-card.js) that will be present on disk and executed; there is no build/install step declared, so execution will rely on these included files.
Credentials
The code legitimately needs TMDB and Emby/Plex credentials for its features, but: (1) the registry metadata advertised 'none' for required env vars while package.json lists required env; (2) multiple API keys (TMDB, several OMDb keys) are hard-coded as defaults in index.js and SKILL.md, which is poor practice and may indicate leaked or reused keys; (3) the practice of pointing to a user-specific absolute .env path and loading ../../../.env is disproportionate because it may expose other environment secrets on the host.
Persistence & Privilege
The skill is not marked always:true and does not claim elevated platform privileges, which is good. However the code intentionally loads an .env file from a relative path that climbs directories (../../../.env) and writes/updates movie-memory.md. Loading an outer .env can access secrets belonging to the host or other skills; combined with autonomous invocation this increases blast radius.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install movie-butler - After installation, invoke the skill by name or use
/movie-butler - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
ๅๅง็ๆฌๅๅธ - ๅฎๆด็่งๅฝฑ็ฎก็ๆ่ฝ
Metadata
Frequently Asked Questions
What is ๐ฌ ่งๅฝฑๅฐ็ฎกๅฎถ?
ๆดๅTMDBไธEmby/Plex๏ผๆไพ็ตๅฝฑๆฅ่ฏขใๅชไฝๅบ็ฎก็ใ่งๅฝฑ่ฎฐๅฝๅไธชๆงๅๆจ่ๆๅกใ It is an AI Agent Skill for Claude Code / OpenClaw, with 421 downloads so far.
How do I install ๐ฌ ่งๅฝฑๅฐ็ฎกๅฎถ?
Run "/install movie-butler" in the OpenClaw or Claude Code chat to install it in one step โ no extra setup required.
Is ๐ฌ ่งๅฝฑๅฐ็ฎกๅฎถ free?
Yes, ๐ฌ ่งๅฝฑๅฐ็ฎกๅฎถ is completely free (open-source). You can download, install and use it at no cost.
Which platforms does ๐ฌ ่งๅฝฑๅฐ็ฎกๅฎถ support?
๐ฌ ่งๅฝฑๅฐ็ฎกๅฎถ is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created ๐ฌ ่งๅฝฑๅฐ็ฎกๅฎถ?
It is built and maintained by duzhilei951 (@duzhilei951); the current version is v1.0.0.
More Skills