Boxed FFmpeg
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s media-processing purpose is coherent, but it should be reviewed because it downloads and runs a remote WASM component from an unpinned GitHub URL outside the packaged artifacts.
Review the external plugin and WASM source before installing. Prefer a pinned, checksummed component, and process only files in directories you are comfortable exposing to the sandboxed FFmpeg tool.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may run a WASM component that was not included in the reviewed package and could change after the skill is published.
The executable WASM component is fetched from a raw GitHub main-branch URL at use/setup time, with no integrity hash, signature, or pinned immutable version shown in the artifacts.
wasm-sandbox-download({ url: "https://raw.githubusercontent.com/guyoung/wasm-sandbox-openclaw-skills/main/boxed-ffmpeg/files/boxed-ffmpeg-component.wasm", output: "~/.openclaw/skills/boxed-ffmpeg/files/boxed-ffmpeg-component.wasm" })Bundle the WASM file with the skill or download it from a pinned release/commit with a published checksum; ask the user before downloading executable components.
The tool will read selected media files and create output files in the chosen directory.
The skill runs a WASM component on local media files. This is core to the stated FFmpeg sandbox purpose and is bounded by workDir and filename-only arguments, but it is still executable code.
wasm-sandbox-run({ wasmFile: "~/.openclaw/skills/boxed-ffmpeg/files/boxed-ffmpeg-component.wasm", workDir: "<input-file-directory>", args: ["<COMMAND>", "<INPUT>", "<OUTPUT>"] })Use it only with media files and directories you intend to process, and verify the WASM component source before first use.