ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Audio Mastering CLI

v1.0.2

CLI audio mastering without a reference track using ffmpeg; accepts audio or video inputs and outputs mastered WAV/MP3 or remuxed MP4.

0· 735·2 current·2 all-time
byRolf@alesys
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description (CLI audio mastering) align with the declared requirements (ffmpeg and powershell). However, the SKILL.md explicitly runs a local script at {baseDir}/scripts/master_media.ps1. That script is not present in the package and there is no install spec to obtain it, so the skill cannot perform its claimed function as-is and would require fetching/executing external code.
Instruction Scope
Instructions are narrowly scoped to running a local PowerShell script which in turn is expected to call ffmpeg; there are no declared steps that exfiltrate data or read unrelated system credentials. However the recommended command uses -ExecutionPolicy Bypass and runs an external script file — running PowerShell scripts obtained from outside should be audited because they can perform arbitrary I/O, network activity, or spawn other processes.
!
Install Mechanism
There is no install spec (instruction-only), which is low-risk in itself. But README and SKILL.md imply a repository with a scripts/ directory; the packaged files do not include the referenced script. The missing script means an operator would need to clone/download code from the referenced GitHub URL (or another source) before use — that download step is not specified or verified in the package and is a potential supply-chain risk.
Credentials
The skill requests no environment variables or credentials and only needs ffmpeg and powershell, which are appropriate for a Windows ffmpeg wrapper. There are no unrelated secrets or config paths requested.
Persistence & Privilege
The skill does not request persistent presence (always:false) and uses default autonomous invocation. It does not attempt to modify other skills or system-wide settings in the provided instructions.
What to consider before installing
Do not run the provided PowerShell command until you have the actual script and have inspected it. The SKILL.md expects a file scripts/master_media.ps1 that is not included in this package; acquiring that script from an external repo (or running it directly) could execute arbitrary commands. Steps to take before installing or running: 1) Obtain the referenced GitHub repo URL from the metadata and clone it yourself; 2) Inspect scripts/master_media.ps1 for any network calls, file operations, or calls to other binaries; 3) Verify that any ffmpeg commands in the script do only local re-encoding/remuxing and do not upload data; 4) Avoid running PowerShell with -ExecutionPolicy Bypass on untrusted scripts — run in a sandboxed VM or isolated environment if possible; 5) Prefer to fetch the code from the official repo and confirm its integrity (commit hash, maintainer) rather than running a missing script from an unspecified source. If the author can provide the missing script in the package or a clear install step that fetches a signed/verified release, re-evaluate; otherwise treat this package as incomplete and potentially risky.

Like a lobster shell, security has layers — review code before you run it.

latestvk9749yfp9w1njg79rkdqnmhgx181pq9y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎚️ Clawdis
OSWindows
Binsffmpeg, powershell

Comments