registry  /  videoclaw  /  3.0.0-alpha.4

videoclaw@3.0.0-alpha.4

Make AI videos from a one-line idea — a step-by-step CLI (vclaw) over Veo, Seedance & Runway with a readable JSON artifact at every stage, a human approval gate before any spend, and automated vision QC that catches motion defects (vapour, morphing, vanis

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 11 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 556 file(s), 5.13 MB of source, external domains: api.apiz.ai, api.elevenlabs.io, api.kie.ai, api.magnific.com, api.openai.com, api.useapi.net, api.xskill.ai, fonts.googleapis.com, fonts.gstatic.com, generativelanguage.googleapis.com, gobananasai.com, httpbin.org, kie.ai, metadata.google.internal, uguu.se, useapi.net, www.w3.org, www.xskill.ai

Source & flagged code

2 flagged · loading source
dist/video/audio-platform/native-lyria.jsView file
7* L8: * POST https://{REGION}-aiplatform.googleapis.com/v1/projects/{PROJECT}/ L9: * locations/{REGION}/publishers/google/models/{MODEL}:predict L10: * Authorization: Bearer <token> L11: * Body: { instances: [{ prompt: string }], parameters: { sampleCount: 1 } } L12: * Response: { predictions: [{ bytesBase64Encoded: string (WAV), mimeType }] } L13: * ... L27: import { dirname } from 'node:path'; L28: import { execFile } from 'node:child_process'; L29: import { promisify } from 'node:util'; ... L86: try { L87: const metaResp = await fetcher('http://metadata.google.[redacted]-accounts/default/token', { headers: { 'Metadata-Flavor': 'Google' } });
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/video/audio-platform/native-lyria.jsView on unpkg · L7
dist/video/review-ui.jsView file
matchType = previous_version_dangerous_delta matchedPackage = videoclaw@3.0.0-alpha.2 matchedIdentity = npm:dmlkZW9jbGF3:3.0.0-alpha.2 similarity = 0.942 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/video/review-ui.jsView on unpkg

Findings

2 High3 Medium6 Low
HighCloud Metadata Accessdist/video/audio-platform/native-lyria.js
HighPrevious Version Dangerous Deltadist/video/review-ui.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License