Auto Clipper
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Auto Clipper mostly matches its video-clipping purpose, but it needs review because its advertised dry-run mode can still process videos and write files.
Review or fix the dry-run behavior before relying on it, test the skill on a small non-sensitive folder, install ffmpeg/ffprobe from trusted sources, and only enable cron or Agent Swarm analysis if you are comfortable with recurring processing and the possible model/agent data flow.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent asking only for a preview can still create video clips and change local state.
The script accepts a dry-run safety flag and passes it into run(), but run() does not check dry_run before invoking clip creation and writing the processed log.
parser.add_argument("--dry-run", action="store_true", help="Show what would be processed") ... if args.command == "run": run(dry_run=args.dry_run, force=args.force) ... def run(dry_run=False, force=False): ... create_clip(config, f, duration=min(default_dur, duration)) ... save_processed(processed)Implement dry-run so it only lists pending files and planned actions, skipping ffmpeg output creation and processed-log writes, or remove the flag until it works.
If cron is enabled, the skill can repeatedly scan and process new media without interactive approval each time.
The documentation instructs users how to add the skill to cron for scheduled recurring execution. This is disclosed and purpose-aligned, but it is persistent automation.
0 * * * * /Users/ghost/.openclaw/workspace/skills/auto-clipper/scripts/run.sh
Only add the cron entry after testing, restrict the watch folder to intended media, and remove the crontab entry when you no longer want automatic processing.
If implemented or followed by an agent, media filenames, metadata, or analysis prompts may be shared with another agent/model service.
The skill documentation describes delegating media analysis to Agent Swarm. The included code currently has this as a placeholder, but the documented design introduces an inter-agent/provider data boundary.
Agent Swarm integration ... router.spawn() sessions_spawn(task, model) ... Analyze this video file: {filename}Before using Agent Swarm analysis on sensitive recordings, verify exactly what media data is sent and disable the intent router unless that data flow is acceptable.
The skill may fail until dependencies are installed, and users may need to decide where to obtain ffmpeg/ffprobe.
The registry contract under-declares runtime requirements even though the included metadata and code rely on ffmpeg/ffprobe. This is not malicious, but users need to supply trusted dependencies themselves.
Required binaries (all must exist): none ... Install specifications: No install spec
Declare ffmpeg and ffprobe as required binaries in the skill metadata and install them only from trusted package sources.