Skillv1.1.0

ClawScan security

Video Understanding · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 13, 2026, 9:10 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, runtime instructions, and requested resources are consistent with its stated purpose (downloading videos and sending them to Google Gemini for analysis); nothing requests unrelated credentials or performs unexplained actions.
Guidance: This skill appears to do what it says: it downloads videos (via yt-dlp), may remux/merge with ffmpeg, and uploads the content to Google Gemini using the GEMINI_API_KEY for analysis. Before installing, consider: 1) Privacy and copyright — uploaded videos will be sent to Google's servers, so avoid private/confidential or copyrighted content unless you have rights. 2) Billing and limits — using Gemini File API may incur costs and has size limits; confirm your API plan. 3) Trusting yt-dlp downloads — yt-dlp executes network downloads and may write files locally; ensure you trust the video sources. 4) Runtime dependencies — brew will install system binaries and the Python google-genai package will be installed; review these if you have strict policy controls. If these behaviors are acceptable, the skill is internally consistent.

Purpose & Capability: okName/description (video analysis with Gemini) aligns with required binaries (yt-dlp, ffmpeg), the GEMINI_API_KEY credential, and the included Python script which downloads/uploads videos and calls the Google GenAI client. The brew install entries for yt-dlp and ffmpeg are proportional and expected.
Instruction Scope: noteSKILL.md and the script instruct the agent to download non-YouTube videos locally via yt-dlp and upload them to the Gemini File API (YouTube URLs are passed directly). This is within scope, but it does mean the skill will transmit video content to Google's servers — users should be aware of privacy/copyright implications. The script does not read other system files or additional environment variables.
Install Mechanism: okInstall spec only lists brew formulas for yt-dlp and ffmpeg (well-known packages). The Python dependency (google-genai) is declared in the script metadata and is expected to be installed by the runtime tooling; no arbitrary URL downloads or unknown hosts are used in the install spec.
Credentials: okOnly GEMINI_API_KEY is required and is used as the API key for the Google GenAI client. No unrelated secrets, tokens, or config paths are requested or read.
Persistence & Privilege: okalways is false and the skill does not attempt to persist or modify other skills or system-wide settings. It cleans up uploaded Gemini files and local downloads by default (unless keep is used).