Is dumoedss/acestep-simplemv safe?

The shell scripts render.sh and render-mv.sh both execute 'node render.mjs' as their core operation, but render.mjs was not captured by the audit's source-code collection because the glob pattern *.js does not match .mjs files. This is the most significant code execution entry point and could contain arbitrary logic including credential reads, network calls, or file system access beyond what the shell wrappers suggest.

The package-lock.json resolves the overwhelming majority of npm packages (including @remotion/cli, remotion, esbuild, webpack, and dozens of transitive dependencies) from registry.npmmirror.com rather than the official registry.npmjs.org. npmmirror.com is a third-party operated mirror. While integrity hashes are present in the lockfile, using a non-official registry is a supply chain risk vector, particularly because esbuild has an install script that downloads native binaries — those binaries could originate from the mirror's served content.

The esbuild package is flagged hasInstallScript: true in package-lock.json. During npm install, esbuild downloads a platform-specific native binary and executes a postinstall script. Since esbuild itself is served from npmmirror.com, the binary download URL and integrity could theoretically be influenced by the mirror. This is a legitimate esbuild behavior but represents a code execution choke point when combined with the non-standard registry.

Six honeypot credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were accessed (OPEN+ACCESS syscalls) during the audit window. The accesses at 1771938636 and 1771938655 are consistent with the oathe pre/post scan pattern, but isolated .env accesses at 1771938644.956 and 1771938652.589 fall in the post-clone window where the skill was present. Process attribution is ambiguous. Canary integrity is confirmed intact.

Both render-mv.sh and the SKILL.md document the --browser CLI flag and BROWSER_EXECUTABLE environment variable as overrides for which executable Remotion uses as its Chrome browser. An agent operating this skill could be socially engineered into passing --browser /path/to/malicious/binary, causing that binary to execute with the user's privileges during rendering.

After skill installation, two ESTABLISHED TCP connections to 3.217.42.175:443 (AWS) are visible in the connection diff, attributed to the openclaw-gatewa process (pid=1088). These appear to be the audit infrastructure's own connections, not from the skill. No skill-attributable outbound connections were observed.

SKILL.md's First-Time Setup section instructs the agent to run 'npm install' and shell scripts. While this is expected for a tool-type skill, it expands the agent's code execution surface and could be leveraged if the skill's npm dependencies are compromised. The instructions are clear and do not attempt to hide this requirement.

The defaultProps in types.ts include creditText: 'Powered by Claude Code + ACE-Step', indicating the skill author specifically designed this tool for Claude Code users. This is informational and not itself malicious, but confirms the skill intentionally targets the Claude Code agent platform.