Openclaw Video Editor

Security checks across malware telemetry and agentic risk

Overview

This is a local ffmpeg video-editing skill with no evidence of hidden network access, credential use, persistence, or destructive behavior beyond user-directed media outputs.

Install only if you are comfortable with local scripts reading the media/transcript files you point them at and overwriting output paths you choose. For highlight reels, be aware that temporary intermediate video clips are written under the system temp area during processing despite the script docstring saying otherwise.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The module docstring makes a materially inaccurate safety claim: it says the script never reads or writes outside the input/output directories, but it creates temporary clip files and a concat list in a system temp directory via TemporaryDirectory. Misleading security claims are dangerous because operators may rely on them when granting filesystem permissions or reviewing the skill, resulting in broader-than-expected file writes and data exposure on shared systems.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal