v1.0.0

Demo Video Creator

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 4:55 AM.

Analysis

The skill appears purpose-aligned for making demo videos, but it attaches to an existing browser session and records/automates pages, so users should review what browser profile and pages it can access before running it.

GuidanceUse this skill only with a dedicated demo browser profile and sanitized demo data. Close unrelated tabs, review the DEMO_SEQUENCES actions before running, keep the frame output directory disposable, and verify that the generated frames/video do not include sensitive information.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

scripts/record-demo.js

await page.goto('http://localhost/dashboard');
await button.click();
await input.fill('example query');
await page.keyboard.press('Enter');

The script intentionally automates browser navigation and interactions. This is central to recording a demo, but it means actions happen automatically once the script is run.

User impactThe demo sequence can click buttons, type into forms, and press keys in the target app.

RecommendationReview and test the DEMO_SEQUENCES array on safe demo data before running it against any production or account-backed application.

Cascading Failures

SeverityLowConfidenceHighStatusNote

scripts/record-demo.js

if (fs.existsSync(outputDir)) {
  fs.rmSync(outputDir, { recursive: true });
}

Before saving frames, the script recursively deletes the configured output directory. The default is a dedicated ./demo-frames directory, but changing outputDir to an important path could remove existing files.

User impactExisting files in the chosen frame output directory will be deleted when the recorder runs.

RecommendationKeep outputDir set to a dedicated disposable folder and do not point it at project, home, or shared directories.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

metadata

Required binaries (all must exist): none
No install spec — this is an instruction-only skill.

The metadata does not declare runtime requirements, while the SKILL.md asks for FFmpeg and the code imports playwright-core. This is an under-declared setup dependency rather than evidence of hidden behavior.

User impactThe skill may fail or require manual installation of dependencies that are not captured in the registry requirements.

RecommendationInstall only trusted versions of Node.js dependencies and FFmpeg, and consider adding explicit dependency declarations before distribution.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

scripts/record-demo.js

const browser = await chromium.connectOverCDP(CONFIG.cdpEndpoint);
const context = browser.contexts()[0];
const pages = context.pages();

The script attaches to an existing browser context over CDP rather than launching a fresh isolated browser. That context may contain active sessions or open pages, so the skill can operate with whatever browser privileges are already present.

User impactIf the browser profile is logged into real services or has sensitive pages open, the script could record or interact with that content while making the demo.

RecommendationRun it only against a dedicated demo browser profile or clean local app session, and close unrelated sensitive tabs before recording.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

scripts/record-demo.js

frames.push(Buffer.from(event.data, 'base64'));
fs.writeFileSync(path.join(outputDir, filename), frames[i]);

The skill stores captured browser screencast frames as local JPEG files. This persistence is expected for video creation, but the frames may contain whatever was visible in the browser.

User impactPrivate customer data, account details, tokens shown in the UI, or internal information could be saved into the frame directory or final video if visible during recording.

RecommendationUse sanitized demo data and inspect/delete the generated frames and video if they contain sensitive information.