Back to skill
Skillv0.2.0
ClawScan security
Terrain Route Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 22, 2026, 2:34 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and runtime instructions match its stated purpose: it renders route videos by calling public map/tile services, drawing frames with Matplotlib, and encoding with ffmpeg — nothing requested or installed is disproportionate.
- Guidance
- This skill appears to do what it says, but note three practical things before running: (1) The script sends coordinates to public services (router.project-osrm.org and a.tile.opentopomap.org) — if your stops/GPX contain sensitive location data, consider anonymizing them or running a private routing/tile service. (2) It creates local folders (frames/ and .tile-cache/) and caches tiles on disk; run it in a dedicated working folder and delete caches when you’re done. (3) Ensure ffmpeg is installed and on PATH; the script will call it via subprocess. If you need stronger privacy or to avoid external network calls, you would need a local OSRM/tile server or to modify the script to use only local tiles/tracks.
Review Dimensions
- Purpose & Capability
- okName/description (terrain route video) align with the implementation: the script fetches OSRM routes, downloads OpenTopoMap tiles, renders frames with Matplotlib/Pillow, and encodes with ffmpeg. Required tools and libraries (requests, numpy, matplotlib, pillow, ffmpeg) are appropriate for the task.
- Instruction Scope
- noteSKILL.md stays within scope: it instructs creating a venv, installing Python deps, running the script with stops.json or GPX/KML, and notes that frames/ and .tile-cache/ are created. Important runtime behaviors are network calls to public OSRM (router.project-osrm.org) and OpenTopoMap tile servers (a.tile.opentopomap.org) and local file I/O (reading GPX/KML, writing cached tiles and frames). These actions are expected for the stated purpose but have privacy implications (coordinates are sent to public services).
- Install Mechanism
- okNo install spec; the skill is instruction-only with a Python script. That is the lowest-risk install model. Dependencies are standard PyPI libraries; the script requires ffmpeg present on PATH (checked at runtime).
- Credentials
- okThe skill requests no environment variables, no credentials, and no config paths. That is proportional: the implementation uses only public HTTP endpoints and local files. There are no unexpected secret- or credential-related requests.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated persistent privileges. It writes caches and frames into the current working directory only (documented). It does spawn subprocesses (ffmpeg) locally which is expected for encoding.