ClawHub

Capcut Mate Skill

v0.1.1

Automate CapCut video editing by creating projects, adding videos, and rendering final videos via the CapCut Mate API.

3· 850·4 current·4 all-time
by@excalibur9527
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is described as a CapCut Mate automation helper and the code + SKILL.md implement and document calls to a CapCut Mate server API. One minor mismatch: registry metadata lists no required environment variables, but both the code and SKILL.md expect CAPCUT_MATE_URL to be configured.
Instruction Scope
SKILL.md limits runtime actions to deploying/connecting to a CapCut Mate server (git clone, uv/docker-compose), configuring CAPCUT_MATE_URL, and using the documented API. The instructions do not ask the agent to read arbitrary system files or exfiltrate data to unrelated endpoints.
Install Mechanism
This is an instruction-only skill with a small wrapper index.js and package.json. The SKILL.md tells users to clone a GitHub repo or use docker-compose — GitHub and docker-compose are normal sources for open-source projects. There is no opaque download-from-personal-server or extract step in the skill bundle itself.
!
Credentials
The skill needs a CAPCUT_MATE_URL (used by index.js) but the registry metadata does not declare it as a required env var; this is an inconsistency that should be corrected. No sensitive credentials (API keys, tokens, passwords) are requested by the skill.
Persistence & Privilege
The skill is not always-enabled and does not request elevated/persistent system privileges or modify other skills' configurations. It uses standard network calls to the configured CapCut Mate endpoint.
Assessment
This skill appears to do what it says: it wraps calls to a CapCut Mate server. Before installing, verify the CapCut Mate server repository (the SKILL.md points to https://github.com/Hommy-master/capcut-mate.git) and only deploy it on a host you control. Ensure you set CAPCUT_MATE_URL in your environment (the registry metadata should declare this but currently does not). Do not expose the local CapCut Mate server port publicly unless you trust the deployment and understand privacy implications for uploaded media. If you need higher assurance, review the upstream capcut-mate codebase and run it in an isolated environment (container or VM) before connecting the skill.
index.js:4
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bmdfqnhxms4r7qvgab68ppn82szhe

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments