ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

08 Video Merge

v1.0.3

Locally merges video clips, dubbing audio, SRT subtitles, and background music into a 9:16 vertical short video ready for publishing.

0· 120·1 current·1 all-time
by@ghwyever
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description promise full local merging (video + audio + SRT + music, 9:16 output). However, the shipped code (skill.js) contains no media processing, no downloads, and no invocation of tools like ffmpeg; it only returns a static path and message. Required binaries/credentials are none, which is inconsistent with a true local media-processing task that would normally require ffmpeg or similar.
!
Instruction Scope
SKILL.md describes a pure-local merging workflow and lists expected inputs (video_url, audio_url, subtitle_url). The runtime instructions do not ask for unrelated files or secrets, but the actual runtime (skill.js) does not implement any of the described steps. This is scope mismatch: instructions promise behavior that the code does not carry out.
Install Mechanism
There is no install spec and only a tiny instruction+code file; nothing is downloaded or written to disk by an installer. This low-install footprint reduces risk.
Credentials
The skill requests no environment variables, credentials, or config paths — which is consistent with the provided (non-functional) code. If the skill were implemented, it would likely require local binaries or temporary file access; those are not requested now.
Persistence & Privilege
No elevated privileges or persistent 'always' installation is requested. The skill is user-invocable and does not claim to modify other skills or system settings.
What to consider before installing
This skill is a stub: it advertises local video merging but the code does not do any merging — it only returns a static filename. Do not rely on it to process media. Before installing or using it: (1) ask the author for a real implementation (look for calls to ffmpeg or other media libraries and explicit file download/cleanup logic); (2) require the skill to declare required binaries (e.g., ffmpeg) and temporary file paths; (3) inspect any future code for network endpoints, uploads, or external dependencies; and (4) test in a sandboxed environment. If you want a working merge skill, insist on a complete implementation that clearly documents required tools, permissions, and where output files are written.

Like a lobster shell, security has layers — review code before you run it.

latestvk975h42p24xyb5acfvfs84f83x84kpjr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments