Arch Video Cut
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the preference file is tampered with, running the video workflow could execute unintended local commands, not just edit video files.
Local preference values are interpolated into shell command strings that are executed with shell=True. Because the preferences file is editable persistent state and values are not validated or safely passed as subprocess arguments, a poisoned preference value could trigger unintended local shell behavior when the workflow runs.
FONT_NAME = prefs["subtitles"]["font_name"] ... f'-vf "...FontName={FONT_NAME},FontSize={HORIZONTAL_FONT_SIZE}..."' ... result = subprocess.run(cmd, shell=True, capture_output=True, text=True)Only run the skill from a trusted copy and inspect config/user_preferences.json before use. The maintainer should avoid shell=True, pass subprocess arguments as lists, and validate or strictly type all preference values before building ffmpeg commands.
The skill may continue recording editing-history entries even after a user believes self-learning has been disabled.
The code defines a learning.enabled flag but record_adjustment appends and saves history without checking whether learning is enabled. This makes the persistent preference memory less user-controllable than the documentation suggests.
"learning": {"enabled": True, "adjustment_history": [], "last_updated": None} ... prefs["learning"]["adjustment_history"].append(adjustment) ... save_preferences(prefs)If you do not want preference history, inspect or delete config/user_preferences.json after running. The maintainer should check learning.enabled before recording adjustments and expose a working disable option in the preference manager.
The skill may fail or behave differently depending on what ffmpeg or Python packages are installed locally.
The skill relies on external local tooling installed by the user, but the registry metadata does not declare required binaries or pinned package versions. This is common for media-processing workflows, but it leaves dependency verification to the user.
brew install ffmpeg-full # Required for libass subtitle support pip3 install faster-whisper # Optional: for speech transcription
Install dependencies from trusted sources, verify the ffmpeg path used by the script, and prefer pinned or documented versions for reproducible behavior.