Back to skill
Skillv1.0.4
ClawScan security
Clip · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 10:46 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill does what it says: it uses yt-dlp and ffmpeg to download a YouTube video, trim a time range, and save the clip to ~/Desktop/Clips; its requirements and behavior are coherent with its description.
- Guidance
- This skill appears internally consistent, but review and consider these practical points before installing: (1) it executes a shell script that runs yt-dlp and ffmpeg — verify you trust the skill source; (2) it will create ~/Desktop/Clips and temporary files in /tmp and will remove the raw download after clipping; (3) yt-dlp downloads content from YouTube — ensure you comply with YouTube's terms and copyright law; (4) install yt-dlp/ffmpeg from your OS package manager or a trusted source to avoid malicious binaries; (5) if you want extra safety, run the script under a limited user account or in a sandboxed environment.
Review Dimensions
- Purpose & Capability
- okName/description request yt-dlp and ffmpeg and the script uses exactly those tools to download and clip YouTube videos. Required binaries, install entries (brew/apt for yt-dlp and ffmpeg), and the included script are proportionate to the stated purpose.
- Instruction Scope
- okSKILL.md and clip.sh only request a URL, start/end times, and optional name. The script writes to ~/Desktop/Clips and /tmp, calls yt-dlp and ffmpeg, and deletes the intermediate download. It does not read other system files, access unrelated environment variables, or send data to unexpected external endpoints beyond fetching the YouTube video via yt-dlp.
- Install Mechanism
- okInstall spec uses standard system package managers (brew/apt) for yt-dlp and ffmpeg. No downloads from arbitrary URLs or extract/install of untrusted archives are present.
- Credentials
- okNo environment variables or credentials are requested. The script uses $HOME for output and /tmp for working files, which is reasonable for this functionality.
- Persistence & Privilege
- okSkill is not always-loaded, is user-invocable, and does not modify other skills or system-wide configuration. It runs as a one-off script with no elevated privileges.