Skillv1.0.0

ClawScan security

video-frames · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 13, 2026, 1:52 AM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and instructions are coherent with a local PyAV-based frame-extraction CLI; nothing in the package requests unrelated credentials or hidden data exfiltration, but the recommended install method (curl | bash) executes remote code and should be reviewed before running.
Guidance: This skill appears to do what it says: a local video-frame CLI using PyAV. Before installing, manually inspect the referenced install.sh on the GitHub repo (the SKILL.md suggests executing it via curl | bash). That script will create files under your home directory and may edit your shell rc; if you do not trust the GitHub account or want to reduce risk, clone the repository and review/run the installer steps locally (create the venv, pip install -r requirements.txt) or run it in a disposable environment/container. Also be aware of the small metadata inconsistency (registry homepage missing) and prefer installing only from repositories you trust.

Review Dimensions

Purpose & Capability: noteThe README, _meta.json and diagnose script all describe a local video-frame extraction CLI (PyAV, Pillow, ffmpeg) and the requested resources (none) match that purpose. Minor metadata mismatch: registry listing shows no homepage while _meta.json references the GitHub repo — likely a packaging/registry inconsistency but not functionally harmful.
Instruction Scope: okSKILL.md only instructs installing the tool, creating/using a Python venv, adding ~/.local/bin to PATH, and running local commands (frame-extractor, ffmpeg, python imports). The included scripts check local files and environment; there are no instructions to read unrelated system secrets or to send data to external endpoints.
Install Mechanism: noteThe skill recommends running a remote install script via curl -sSL https://raw.githubusercontent.com/... | bash. Fetching and executing a remote script is common for CLI tools but carries elevated risk because it runs arbitrary code from the network; the URL is a GitHub raw URL (a well-known host), but you should review the install.sh contents before executing.
Credentials: okNo environment variables, credentials, or config paths are requested. The skill operates on user-supplied files and paths (videos, output dirs) only, which is proportionate to its stated functionality.
Persistence & Privilege: okThe skill does not request always:true and contains no instructions to modify other skills or system-wide agent settings. Installation writes files under the user's home (~/.video-frame-extractor, ~/.local/bin) and suggests updating shell rc files to add to PATH — expected for a user CLI.