Back to skill
Skillv1.0.1
ClawScan security
QCut Toolkit · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 6, 2026, 4:35 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill appears to be a genuine QCut media toolkit but the runtime instructions and bundled files expect local binaries, credential files, and HTTP services that the skill does not declare — this mismatch and the included server/scripts increase risk and deserve scrutiny.
- Guidance
- This package looks like a full QCut toolset (FFmpeg docs, AI pipeline, local HTTP APIs and helper scripts). Before installing or enabling it: 1) Confirm you run it inside the QCut/Electron environment it targets — otherwise expected binaries (aicp, bundled AICP binary, ffmpeg) and the local Claude HTTP server may not exist. 2) Review the bundled scripts (subtitle_server.js, review_server.js, shell scripts) before running — they can open local endpoints or access files. 3) Be aware the docs instruct persistent storage of API keys (e.g., ~/.config/video-ai-studio/credentials.env) and call external model endpoints (fal.run, Google providers). Only provide API keys you trust and consider scope-limited keys. 4) If you do not want the skill to access local files or start servers, do not run the CLI/server components; if you need to run them, sandbox or inspect them first. 5) If you want a definitive benign/malicious determination, provide the contents of the included JS/shell scripts for review (the manifest lists them but their code was not fully shown here).
Review Dimensions
- Purpose & Capability
- noteThe skill's name/description (QCut media toolkit) matches the included sub-skills (ffmpeg guides, AI pipeline, project organization, PR comments). However, the SKILL.md and reference docs assume the presence of QCut-specific binaries (aicp, QCut/Electron host, ffmpeg) and credential plumbing that are not declared in the skill metadata (required binaries/env/config). That omission is an inconsistency: a legitimate QCut skill would normally declare or at least document required runtime binaries/environment.
- Instruction Scope
- concernThe skill's instructions reference running/using local CLI binaries (aicp, QCut), a local HTTP API (localhost:8765), and persistent credential stores (e.g., ~/.config/video-ai-studio/credentials.env). The docs show APIs that accept absolute file paths and timeline/media IDs — these afford the agent access to arbitrary local files if invoked. The SKILL.md instructs setting and injecting API keys and includes multi-tier key resolution; it also routes to sub-skill docs and shell/js scripts present in the bundle. These behaviors go beyond simple text-only help and could read/write sensitive files or start local servers if executed, so the instruction scope is broader than the metadata implies.
- Install Mechanism
- noteThere is no install spec (instruction-only) which reduces installer risk. However, the package contains executable scripts and server JS files (subtitle_server.js, review_server.js, shell scripts) that could be executed by an agent following the SKILL.md guidance. Absence of a declared install process does not eliminate runtime execution risk.
- Credentials
- concernThe skill metadata declares no required environment variables or primary credential, yet the SKILL.md and REFERENCE docs repeatedly reference and instruct management of multiple API keys (FAL_KEY, GEMINI_API_KEY, ELEVENLABS_API_KEY, etc.) and a persistent credentials file. Asking the user/agent to set or rely on those secrets without declaring them is inconsistent and elevates the chance of accidental secret exposure or misconfiguration.
- Persistence & Privilege
- noteThe skill does not request always:true and defaults to normal invocation. But it recommends persistent key storage (CLI set-key that writes to ~/.config/.../credentials.env) and documents local HTTP endpoints and servers. That implies the skill expects to persist secrets and possibly run long-lived local services — reasonable for an app-integrated toolkit but something users should explicitly consent to and verify.