ClawCut
ReviewAudited by ClawScan on May 10, 2026.
Overview
ClawCut appears to be a real video-generation tool, but it has risky defaults that can expose its web UI on your network and may run an ffmpeg binary from /tmp while using your Google Cloud credentials.
Before installing, treat this as a paid Google Cloud app: use a dedicated low-privilege service account, set billing limits, and do not upload private media unless you accept Vertex AI processing. Run the Gradio UI bound to localhost only, add authentication if exposing it, and set FFMPEG_BIN to a trusted ffmpeg path rather than relying on /tmp/ffmpeg.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an unexpected or malicious /tmp/ffmpeg exists, it could be executed as the user during video processing.
The runtime prefers /tmp/ffmpeg if it exists. The pipeline uses FFMPEG_BIN for subprocess-based ffmpeg operations, and /tmp is commonly writable; the setup docs also tell users to set FFMPEG_PATH, not FFMPEG_BIN, so users may not override this default.
FFMPEG_BIN = os.getenv("FFMPEG_BIN", "/tmp/ffmpeg")
if not os.path.exists(FFMPEG_BIN):
FFMPEG_BIN = "ffmpeg"Change the default to the system ffmpeg or a user-specified trusted absolute path, document the correct variable name, and avoid executing binaries from /tmp.
Anyone who can reach the machine on port 7860 may be able to upload media and consume the user's Google Cloud quota or credits.
The Gradio UI listens on all network interfaces. No authentication or access control is shown, while the UI can accept uploads and trigger paid Vertex AI video generation using the configured credentials.
app.launch(server_name="0.0.0.0", server_port=7860)
Bind the UI to 127.0.0.1 by default, add authentication if network access is needed, and firewall the port.
The skill can spend quota and access Vertex AI under the configured Google Cloud identity.
The skill requires Google Cloud service-account authority for Vertex AI. This is expected for the stated purpose and no hardcoded secret is shown, but registry metadata lists no primary credential or required environment variables.
- Service account JSON with Vertex AI User role ... - All credentials via environment variables (zero hardcoded secrets)
Use a dedicated low-privilege service account, a separate project or billing budget, and avoid using broad personal or production credentials.
Private images or videos selected as references may be sent to Google Cloud for processing.
The code reads user-provided reference media and includes it in Gemini/Vertex AI model requests. This is purpose-aligned and disclosed at a high level, but users should recognize that uploaded reference media leaves the local machine.
with open(reference_video_path, "rb") as f:
video_bytes = f.read()
contents.append(types.Part.from_bytes(data=video_bytes, mime_type="video/mp4"))Only upload media you are comfortable sending to Vertex AI, and verify your Google Cloud data handling settings and policies.
Dependency installation depends on trusting the specified package mirror.
The documented setup installs dependencies from a non-default Python package index. This is user-directed and mostly pinned in requirements.txt, but it is still a provenance choice users should verify.
pip install -r requirements.txt -i https://pypi.tuna.tsinghua.edu.cn/simple
Install in a virtual environment, verify package sources and hashes where possible, or use a trusted package index.