Na He
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent instruction-only video motion analysis skill, but it relies on local video-processing commands and sends results to Feishu, so users should verify tools, inputs, and the message recipient.
This skill appears safe for its stated purpose if you intentionally want video action analysis. Before installing or using it, make sure any required tools such as yt-dlp, you-get, and ffmpeg come from trusted sources, run it in a dedicated folder, and verify the Feishu user ID before sending results.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may download a user-provided video and generate many frame image files locally, which can use disk space and processing time.
The skill instructs use of local command-line tools to download videos, process media, and write extracted frames. This is central to the stated video analysis purpose, but it is still meaningful local file and network activity.
you-get -o ./video ... yt-dlp "视频URL" -o ./video ... ffmpeg -i ./video/input.mp4 -vf fps=10 ./frames/frame_%04d.jpg
Use a dedicated working folder, confirm the video URL or file is intended for analysis, and review commands before running them on large or sensitive videos.
A user may need to install or provide these tools separately, and should choose trusted installation sources.
The registry does not declare required binaries or an install mechanism, even though the SKILL.md workflow relies on external tools such as you-get, yt-dlp, and ffmpeg. This is a metadata completeness issue rather than hidden code.
Required binaries (all must exist): none ... Install specifications: No install spec — this is an instruction-only skill.
Install any needed media tools from trusted package managers and keep them updated; the skill metadata should ideally declare these dependencies.
Video titles, detected actions, or pass/fail results could be sent to the wrong Feishu recipient if the target is incorrect.
The workflow sends analysis results to a Feishu user ID. This is disclosed in the description and aligned with notification behavior, but it is an external messaging/data-sharing step.
使用 `message` 工具发送结果到飞书 ... "target": "飞书用户ID"
Confirm the Feishu recipient before sending and avoid including sensitive video details unless the user explicitly wants them shared.