🎬 观影小管家

整合TMDB与Emby/Plex，提供电影查询、媒体库管理、观影记录和个性化推荐服务。

What you should consider before installing: - Inconsistency: The registry advertises no required env vars but the package and README expect TMDB, Emby (URL/API key/user id) and optionally Plex. Confirm with the author which credentials are actually needed. - Hard-coded keys: index.js and SKILL.md include default API keys (TMDB and several OMDb keys). These may be placeholders or leaked keys — they are poor practice and could be abused. Do not rely on embedded keys; prefer to put your own API keys in a controlled location. - .env path risk: The code uses dotenv with path.join(__dirname, '../../../.env') and SKILL.md instructs putting credentials in a user-specific .env path. That can cause the skill to load environment variables outside the skill folder (potentially other secrets). Before running, edit the code to point to a safe, explicit config path you control, or run the skill in a sandboxed environment. - Prompt-injection marker: A unicode-control-chars pattern was found in SKILL.md. Treat documentation and prompts carefully; validate that runtime prompts and instructions haven't been tampered with. - Practical mitigations: (1) Review and remove any hard-coded keys; replace with explicit required env variables and clear docs. (2) Modify dotenv path to an approved, explicit file (not '../../../.env'). (3) Run the code in an isolated VM/container and monitor network calls to confirm only TMDB/Emby/Plex endpoints are contacted. (4) If you don't trust the source, don't provide any real API keys or sensitive service tokens until code is audited or the author provides a signed/official release. If you want, I can: point to the exact lines with hard-coded keys and dotenv usage, suggest a safe code change to use process.env only (no default keys), or produce a checklist to audit network behavior before trusting this skill.

Type: OpenClaw Skill Name: movie-butler Version: 1.0.0 The skill is classified as suspicious primarily due to the presence of hardcoded default API keys for TMDB and OMDb, and a default Emby User ID within `index.js`. While these are likely intended for fallback or demonstration purposes, hardcoding any API keys or user IDs is a security vulnerability, as it could lead to exposure if these default credentials are compromised or misused. All network calls are directed to legitimate services (TMDB, OMDb) or a user-configured local Emby server, and file system operations are confined to the skill's `movie-memory.md` file, showing no signs of data exfiltration or unauthorized access.