ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

FFmpeg CLI

v1.0.0

Process video and audio using FFmpeg CLI for transcoding, cutting, merging, audio extraction, thumbnails, GIFs, speed, filters, subtitles, and watermarks.

6· 5k·33 current·34 all-time
by@ascendswang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (FFmpeg CLI operations) align with the provided scripts. All eight scripts perform expected video/audio tasks (convert, cut, merge, extract audio, gif, thumbnail, speed, watermark). No unrelated credentials, hosts, or binaries are requested.
Instruction Scope
SKILL.md instructs the agent to run the included shell scripts against local files. The scripts only perform local file I/O and call ffmpeg; they do not call external network endpoints or read environment secrets. Minor operational notes: speed.sh uses bc (not declared in the metadata) and one echo line in speed.sh references an undefined variable (RATEx). Filenames are written into a temporary concat file without sanitization, which could behave unexpectedly with specially crafted filenames.
Install Mechanism
No remote download/install spec in the registry; SKILL.md metadata suggests installing ffmpeg via a brew formula (a well-known package source). There are no arbitrary URL downloads or archive extracts in the skill.
Credentials
The skill declares no required environment variables or credentials. It only needs local ffmpeg (and implicitly common CLI tools like mktemp and bc). There are no requests for unrelated secrets or config paths.
Persistence & Privilege
always is false and the skill is user-invocable. disable-model-invocation is false (normal platform default) — the skill could be invoked autonomously, but that is expected behavior and not combined with other privilege or credential requests.
Assessment
This skill is internally consistent: it provides local ffmpeg wrapper scripts and doesn't request secrets or download code. Before installing, ensure you have ffmpeg (brew install ffmpeg is suggested) and common utilities (bc, mktemp) on your system. Review the scripts if you will run them on untrusted files — they execute ffmpeg and write temporary files (merge.sh creates /tmp/ffmpeg_merge_*.txt) and do minimal filename sanitization. If you want to limit risk, run the scripts in a sandbox or only use trusted input files. If you need the skill to never run autonomously, disable model invocation when enabling the skill on your agent.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c3qsrfq9xgxs06464c9rgfh8021gp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments