ClawHub

Boxed FFmpeg

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill’s media-processing purpose is coherent, but it should be reviewed because it downloads and runs a remote WASM component from an unpinned GitHub URL outside the packaged artifacts.

Review the external plugin and WASM source before installing. Prefer a pinned, checksummed component, and process only files in directories you are comfortable exposing to the sandboxed FFmpeg tool.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI04: Agentic Supply Chain Vulnerabilities
Medium
What this means

A user may run a WASM component that was not included in the reviewed package and could change after the skill is published.

Why it was flagged

The executable WASM component is fetched from a raw GitHub main-branch URL at use/setup time, with no integrity hash, signature, or pinned immutable version shown in the artifacts.

Skill content
wasm-sandbox-download({ url: "https://raw.githubusercontent.com/guyoung/wasm-sandbox-openclaw-skills/main/boxed-ffmpeg/files/boxed-ffmpeg-component.wasm", output: "~/.openclaw/skills/boxed-ffmpeg/files/boxed-ffmpeg-component.wasm" })
Recommendation

Bundle the WASM file with the skill or download it from a pinned release/commit with a published checksum; ask the user before downloading executable components.

#ASI05: Unexpected Code Execution
Low
What this means

The tool will read selected media files and create output files in the chosen directory.

Why it was flagged

The skill runs a WASM component on local media files. This is core to the stated FFmpeg sandbox purpose and is bounded by workDir and filename-only arguments, but it is still executable code.

Skill content
wasm-sandbox-run({ wasmFile: "~/.openclaw/skills/boxed-ffmpeg/files/boxed-ffmpeg-component.wasm", workDir: "<input-file-directory>", args: ["<COMMAND>", "<INPUT>", "<OUTPUT>"] })
Recommendation

Use it only with media files and directories you intend to process, and verify the WASM component source before first use.