jianying-editor

Fail

Audited by Socket on Jun 13, 2026

4 alerts found:

Anomalyx2Obfuscated Filex2
AnomalyLOW
README.md

本片段未提供可审计的业务实现代码,因而不能直接证明存在窃取、后门或恶意负载。但文档中包含一个高度敏感的供应链执行入口(PowerShell `irm ... | iex` 远端即时执行),并且还涉及 `pip` 依赖安装与 Playwright/Chromium 下载、网页渲染录制、桌面自动化导出等扩展攻击面。建议对远端安装脚本与仓库实际运行的安装/启动脚本进行完整校验与独立审计后再使用。

Confidence: 100%Severity: 60%
AnomalyLOW
rules/setup.md

The code is primarily a local bootstrap for discovering and importing JyProject, but it introduces a significant supply-chain-like/local attack surface: it prepends a dynamically chosen scripts directory to sys.path based partly on an environment variable and filesystem presence, then imports jy_wrapper from that location without integrity checks. If an attacker can influence JY_SKILL_ROOT or plant/replace jy_wrapper.py in any searched directory, this can lead to import-time arbitrary code execution. Aside from this, the macOS PATH adjustment is likely benign, and there are no direct indicators of overt malware in the shown fragment.

Confidence: 100%Severity: 60%
Obfuscated FileHIGH
assets/artistEffect/7187739440347958589/266eb863a42498a72c5c67bb8845c24c/texture/122.texture

The supplied file is an opaque binary-like blob, not readable JavaScript source. Static analysis of malicious behavior is inconclusive from this fragment alone. This artifact is suspicious because opaque high-entropy blobs in source packages are an established vector for hiding malicious payloads that are later decoded and executed by other package code. Action: treat it as suspicious until you (1) locate and audit any code that references/decodes/executes this blob, (2) inspect package.json/install scripts, and (3) if necessary extract and analyze the blob in an isolated sandbox. If no code references or executes it and it is a legitimate asset, risk is low; otherwise, risk can be high.

Confidence: 90%
Obfuscated FileHIGH
references/video_analysis_template.py

No explicit in-file malware found (no shell, no obfuscated payloads, no hardcoded credentials). However, the module poses moderate security risk primarily via supply-chain and data-exfiltration vectors: it prepends relative 'libs' directories to sys.path (allows malicious local api_client), uploads arbitrary local video files to a remote AI service without validation or consent, and writes streamed AI output to disk without sanitization. The file is also syntactically broken/incomplete, suggesting tampering or a corrupted copy. Recommend: do not run this file as-is; verify provenance of AntigravityClient, remove or harden sys.path manipulation, validate and constrain files before upload (size/type), import re, fix missing prompt and main routine, and add strict error handling and logging before use.

Confidence: 90%
Audit Metadata
Analyzed At
Jun 13, 2026, 08:13 AM
Package URL
pkg:socket/skills-sh/luoluoluo22%2Fjianying-editor-skill%2Fjianying-editor%2F@f421c8a036f4fda888a83b38fc90bb9c00d6faa9
Security Audit — socket — jianying-editor