face swap
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a coherent face-swap integration, but it uses a verging.ai API key and uploads selected face/video media to an external service.
Install only if you trust the publisher and verging.ai, set the API key through the environment rather than pasting it into prompts, and use the tool only with videos and face images you have permission to upload and transform.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may download videos, process local media, and write temporary/output files when the user asks for a face swap.
The skill instructs the agent to run external media/download tools such as yt-dlp, ffmpeg, ffprobe, curl. This is expected for the stated media-processing purpose, but command execution should remain limited to user-selected files and URLs.
Try `yt-dlp "URL" -o /tmp/verging-faceswap/video.mp4`
Review the requested video/image paths and URLs before use, and avoid running the workflow on files you do not intend to upload or modify.
Anyone with the API key may be able to access the user's verging.ai API functions or spend credits.
The skill requires a verging.ai API key and also permits passing it as a command option. This is purpose-aligned for the provider API, but the key grants account/API access and may consume credits.
| --api-key | -k | Your API Key | VERGING_API_KEY env |
Prefer the VERGING_API_KEY environment variable over putting keys in command text, keep the key private, and rotate it if it is exposed.
Face images and videos may leave the device and be stored or served by the external provider/CDN.
The workflow uploads the user-selected video and face image to a provider-supplied storage URL and uses a public_url in the job request. This is expected for cloud face swapping, but the artifacts do not describe retention or access controls for uploaded media.
Upload video file to the presigned URL ... "public_url": "https://img.panpan8.com/face-swap/2026-03-11/xxx.mp4"
Use only media you are comfortable uploading to verging.ai/provider storage, avoid highly sensitive or non-consensual images, and review the provider's privacy and retention terms.
It is harder to verify that the skill is officially maintained by the claimed provider before giving it an API key and media.
The registry metadata does not provide a verifiable source repository or homepage for this credentialed network skill. This is a provenance gap rather than evidence of malicious behavior.
Source: unknown; Homepage: none
Verify the publisher and install source before configuring VERGING_API_KEY, especially if using this with personal videos or face images.