Skillv1.0.3

ClawScan security

Video A'Roll Auto Editor v4.7 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 13, 2026, 11:21 AM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are coherent with a local video rough-editing tool; it asks for the expected dependencies and does not request unrelated credentials or external endpoints, though origin is unknown and the package will execute local binaries and may download large model files.
Guidance: This appears to be a coherent local video rough-editing utility. Before running it: (1) review the bundled Python script yourself (it will execute ffmpeg and spawn the Whisper CLI); (2) be aware the Whisper package may download large language/model weights on first use (network + disk), so run where you accept that download and resource use; (3) run in an isolated environment (container or VM) until you trust behavior; (4) test on non-sensitive sample videos first; (5) note the project is GPL v3 — if you distribute derivatives you must comply with the license. Also be aware the code includes minor bugs/truncation in the provided excerpt (e.g., an incomplete return in analyze_fluency) — you may want to run linting/tests or fix small issues before relying on it in production.

Review Dimensions

Purpose & Capability: okName/description claim automated video rough editing; the code and SKILL.md require FFmpeg, Python, and openai-whisper and perform silence detection, scoring, transcription, deduplication, clipping and concatenation — all consistent with that purpose.
Instruction Scope: noteSKILL.md instructs running the included Python script and installing FFmpeg and openai-whisper. The runtime instructions and code operate on local files (input video, work and output dirs) and call local binaries (ffmpeg, whisper CLI). They do not reference unrelated system paths, environment variables, or external endpoints in the provided excerpts. Note: Whisper/whisper CLI may download model weights (large files) and perform network I/O when first used; the instructions do not warn about that.
Install Mechanism: okNo install spec supplied (instruction-only plus bundled code). The README suggests installing FFmpeg via system package manager and the openai-whisper Python package via pip, which is expected for a local transcription-based tool. No arbitrary download URLs or archive extraction were specified.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The code reads and writes files in provided input/output/work directories only — proportional to the stated functionality.
Persistence & Privilege: okalways is false and the skill does not request persistent system-wide privileges. It does not modify other skills or global agent settings in the provided materials.