Skillv1.0.4

ClawScan security

news-video-maker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 11, 2026, 8:08 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match its stated purpose (search → TTS → ffmpeg video assembly), but the manifest omits a declared ffmpeg dependency and the SKILL.md hard-codes a Windows output path — verify runtime tools and paths before use.
Guidance: This skill appears to do what it says: search for news, synthesize speech, and call ffmpeg to produce an MP4 with subtitles. Before using it: 1) ensure ffmpeg is installed from an official source and available on PATH (the manifest doesn't declare it); 2) confirm you have the referenced search and TTS skills/tools available and permitted; 3) change the hard-coded default output path to a directory you control to avoid unwanted writes to your user folder; 4) verify the agent will only run when you invoke it (if you don’t want autonomous runs); and 5) review any generated audio/images for copyright or privacy issues. If you want higher assurance, ask the skill author to declare required binaries and provide cross-platform paths or an explicit prompt for output directory.

Purpose & Capability: okName/description (news video maker) align with instructions: it uses web search skills to gather news, a TTS tool to produce audio, and ffmpeg to assemble video and subtitles — these are expected capabilities for this skill.
Instruction Scope: noteInstructions stay within the stated purpose and do not ask for unrelated files or credentials. They do reference using other skills (search, TTS) and running ffmpeg. The SKILL.md hard-codes a default Windows output directory (C:\Users\hyzu\Documents\openclaw\), which is odd for a cross-platform skill and could cause accidental writes to a user folder if used as a default.
Install Mechanism: noteThis is instruction-only (no install spec), which minimizes installer risk. However, the instructions assume an ffmpeg binary is available on PATH but the registry metadata lists no required binaries — that's an omission the user should address (install ffmpeg from an official source).
Credentials: okThe skill requests no environment variables or credentials and the runtime instructions do not ask for secrets. This is proportionate to its purpose.
Persistence & Privilege: okalways is false and the skill is user-invocable; it does not request elevated or persistent privileges. Autonomous invocation is allowed by platform default but is not combined with other high-risk factors here.