Skillv1.0.1

ClawScan security

推特视频下载器 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 18, 2026, 4:10 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill appears to do what it says (download Twitter/X videos via yt-dlp/ffmpeg); the required binaries match its behavior and there is no sign of data-exfiltration, but there are minor implementation inconsistencies you should be aware of before use.
Guidance: This skill appears to be a straightforward wrapper around yt-dlp and ffmpeg and does not request credentials or contact unexpected remote endpoints. Before installing or running: 1) ensure yt-dlp, ffmpeg and python3 are installed from trusted sources (brew/apt/pip or official releases); info.sh uses python3 but the metadata doesn't list it. 2) Be aware the scripts create files under ~/Downloads/twitter-videos and ~/Downloads/twitter-audio and will perform network requests to Twitter/X (use the --proxy option if required). 3) The URL validation in download.sh may reject some link formats the README claims to support (mobile.twitter.com/t.co); if you rely on those, test first or remove/adjust the validation. 4) Review the shell scripts yourself (they are short and readable) before running, especially if you plan to run them with elevated privileges. Overall there is no indication of exfiltration or malicious behavior, only minor implementation bugs and an undeclared runtime dependency (python3).

Purpose & Capability: okName/description, required binaries (yt-dlp, ffmpeg) and the shell scripts align with a Twitter/X video downloader. The scripts use yt-dlp to fetch and ffmpeg (via yt-dlp merge/extract) for audio/video processing, which is expected.
Instruction Scope: noteRuntime instructions and scripts stay within the downloader use-case (building yt-dlp args, proxy options, output directories). Minor scope issues: the scripts call python3 in info.sh but python3 is not declared in the metadata as a required binary; the download.sh URL validation rejects some formats the README/SKILL.md claim to support (e.g., mobile.twitter.com and some shortlink cases), so some advertised link formats may fail even though yt-dlp itself can handle them.
Install Mechanism: okNo install spec is provided (instruction-only), so nothing is downloaded or executed during installation. The approach minimizes install-time risk. Dependencies are expected to be present on PATH.
Credentials: okThe skill declares no required environment variables or credentials. The scripts only use local filesystem paths (~/Downloads/...) and optional proxy arguments; no secrets or unrelated credentials are requested.
Persistence & Privilege: okalways is false and there is no code that modifies other skills or system-wide settings. The skill does create local download directories (under the user's home), which is normal for a downloader.