Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ffmpeg Master Pro
v2.3.1FFmpeg Master Pro - 全能视频处理技能。当用户需要视频处理时使用,支持视频转换、视频压缩、视频编辑等。当用户要求视频处理, 视频转换, 视频压缩, FFmpeg, 视频编辑, 视频转码, 视频剪辑, 字幕处理, 视频优化, 批量视频处理, GIF转换, 视频翻转, 速度调节, 音频提取, 视频合...
⭐ 0· 229·2 current·2 all-time
bysniper-one@aqbjqtd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The code and SKILL.md implement a comprehensive FFmpeg-based processing toolkit (transcode, smart-cut, presets, GPU detection). That matches the skill name/description. However the registry metadata claims no required binaries while SKILL.md and the code require ffmpeg/ffprobe (and optionally nvidia-smi/amdgpu-info/vainfo). The missing declaration of those required binaries in metadata is an inconsistency.
Instruction Scope
Runtime instructions explicitly tell the agent to run ffmpeg/ffprobe and to 'exec background:true' for long tasks. The SKILL.md directs the agent to prefer executing included scripts under scripts/ when available. The included Python scripts call subprocess.run on ffmpeg/ffprobe/nvidia-smi/other tools and read/write files. The SKILL.md and code accept and use user-provided file paths directly (input/output), but give no rigorous guidance about sanitizing paths or validating untrusted inputs. This combination increases risk of command-line injection or accidental exposure of local files if user inputs are not safely handled.
Install Mechanism
There is no install spec that downloads remote archives or runs third-party installers; the skill ships many code files with the bundle. No network download URLs or extract steps were found in the provided metadata. Because nothing is pulled from an external URL during install, the install mechanism itself is low risk — but the presence of many executable scripts means runtime execution (by the agent) is the primary operational surface.
Credentials
requires.env and primary credential are empty in the registry, but SKILL.md and code require local binaries (ffmpeg/ffprobe) and optionally commands that reveal hardware (nvidia-smi, amdgpu-info, vainfo). The PresetManager writes to a user config directory (~/.config/ffmpeg-master/presets) and creates files in the user's home directory — this config path usage is not declared in required config paths. No secrets are requested, but the skill will access local system state and create files in the user's profile without having declared those config paths.
Persistence & Privilege
always:false (no forced inclusion). The skill writes/creates a user presets directory under the home config path and may create temporary files during processing. It does not request persistent elevated privileges or modify other skills. Persisting presets under ~/.config is reasonable for a local tool but should have been declared as a config path; users should be aware of this file creation.
What to consider before installing
What to consider before installing:
- Functional fit: The skill's functionality (building/running ffmpeg commands, GPU detection, presets, batch processing) matches its description — this looks like a legitimate FFmpeg helper.
- Declared requirements mismatch: The metadata does not list required binaries or config paths, but SKILL.md and the code clearly expect ffmpeg and ffprobe (and optionally nvidia-smi/amdgpu-info/vainfo). If your environment lacks these tools the skill will fail; the missing declaration is an oversight you should ask the author to correct.
- Local execution risks: The skill's scripts execute subprocesses (ffmpeg/ffprobe and system GPU tools) and read/write files. If the agent constructs command lines from untrusted user input, there is a risk of command injection or unintended access to local files. Prefer running this skill in a controlled/sandboxed environment until you audit how inputs are sanitized.
- Files written to your system: The PresetManager will create ~/.config/ffmpeg-master/presets for user presets. Expect the skill to create temporary output files and logs in temporary directories or in user-specified locations. If you want to avoid changes to your home directory, run in a VM or container.
- No remote downloads detected: There is no installer that downloads arbitrary code from the network at install time, which reduces supply-chain risk. Still review the bundled scripts for any network calls before enabling autonomous invocation.
- Recommended actions before enabling:
1) Ask the author/maintainer to correct metadata to declare required binaries and config paths.
2) Review the scripts that will run (scripts/), paying attention to subprocess invocations and any code that touches the network or unsanitized inputs. Look for any subprocess.run or os.system uses that concatenate untrusted strings.
3) Test the skill in an isolated environment (container/VM) with non-sensitive files to verify behavior.
4) If you will run it on a multi-user or production machine, enforce least privilege (run under a restricted user, restrict read/write directories) and confirm input sanitization.
If you want, I can highlight specific files/functions that build command lines or perform subprocess calls so you can inspect them for unsafe string handling.Like a lobster shell, security has layers — review code before you run it.
latestvk97fyrnj9dkmjaz5rqrfv4tcan83gx3s
License
MIT-0
Free to use, modify, and redistribute. No attribution required.