Skillv1.0.0

ClawScan security

Video Multi-Platform Publish · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 14, 2026, 2:02 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely performs local video analysis and ffmpeg-based clipping (and simulates publishing), but its description promises one‑click cross‑platform publishing while the code and manifest lack the credentials, API integrations, and declared binary requirements needed for real publishing — this mismatch is suspicious and likely a bug or misleading documentation.
Guidance: This skill appears to do local video analysis and ffmpeg-based clipping and then prints simulated publish results — it does not contain real API integrations or request platform credentials. Before installing or running: 1) Expect to need ffmpeg/ffprobe installed locally (the script will exit if missing) even though the registry metadata didn't list required binaries; 2) Do not assume it will actually upload to platforms — the code shown only simulates publishing and lacks credential handling; 3) Review the full script (remaining/truncated parts) to confirm there are no hidden network calls; 4) Test it on non-sensitive sample videos in an isolated environment first; 5) If you need real multi-platform publishing, be prepared to add secure credential handling (store API keys safely) and verify each platform integration rather than relying on this skill as-is. The mismatch between advertised capabilities and the implementation is the main concern — treat this as buggy/misleading rather than overtly malicious unless later code reveals undisclosed network endpoints or credential exfiltration.

Review Dimensions

Purpose & Capability: concernThe name/description promise full end-to-end multi‑platform publishing (WeChat, Bilibili, Xiaohongshu, Douyin, YouTube, TikTok). The included Python code implements local analysis, clipping (ffmpeg/ffprobe) and a simulated publish function that prints success, but does not integrate with platform APIs or request any credentials. Additionally openclaw.skill.json sets "ffmpeg_required": true while the registry metadata lists no required binaries — inconsistent with the runtime check in code that exits if ffmpeg is missing.
Instruction Scope: noteSKILL.md and the CLI/API examples instruct running the included script to 'publish' to platforms. However the script's publish routines are simulated (no network endpoints, no credential handling shown in the included code). SKILL.md implies network uploads and use of platform credentials, but neither the instructions nor the code explain how credentials are provided — a scope/expectation mismatch (claims network publishing but instructs/implements only local operations).
Install Mechanism: okNo install spec (instruction-only + bundled Python script). This is low risk in installation terms. The skill will call external binaries (ffmpeg/ffprobe) at runtime, but there is no post-install download/extract or remote code fetch in the provided files.
Credentials: concernThe skill requests no environment variables or credentials, yet claims to publish to third‑party platforms where API keys/tokens would normally be required. That absence is disproportionate to the claimed capability and indicates either (a) the skill only simulates publishing (which is the current code behavior) or (b) the real publishing implementation is missing and would require sensitive credentials not declared here.
Persistence & Privilege: okSkill is not always-on, has no special OS restrictions, and doesn't request to modify other skills or system configurations in the provided files. No elevated persistence or privileges are observed.