Wjs Segmenting Video

ReviewAudited by ClawScan on May 13, 2026.

Overview

The core video-cutting workflow is understandable, but some bundled helper scripts trust an ffmpeg executable from /tmp and can optionally send video frames to an image provider.

Review before installing. The core segmentation script appears aligned with the stated purpose, but set FFMPEG to a trusted binary, avoid relying on /tmp/ff_bin/ffmpeg, and do not run the cover-generation helper unless you accept sharing frames with the configured image provider.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Running the intro/subtitle helpers could execute an untrusted local binary if /tmp/ff_bin/ffmpeg exists.

Why it was flagged

The helper auto-selects an executable from /tmp before the normal PATH. If that file is malicious or unintended, the script will run it as ffmpeg during video processing.

Skill content

for p in [os.environ.get("FFMPEG"), "/tmp/ff_bin/ffmpeg", shutil.which("ffmpeg")]:
        if p and Path(p).exists():
            return p

Recommendation

Use a trusted, pinned ffmpeg path, preferably via the FFMPEG environment variable, and remove the /tmp fallback or require explicit user confirmation before using it.

Info

#ASI02: Tool Misuse and Exploitation

What this means

The skill can create or overwrite local media outputs in the chosen output folder.

Why it was flagged

The core script invokes ffmpeg and uses -y to overwrite outputs. This is expected for a video-cutting skill, but users should run it only on intended files and output directories.

Skill content

cmd = [
            "ffmpeg", "-y",
            "-ss", fmt_time(start), "-to", fmt_time(end),
            "-i", str(source),

Recommendation

Run it in a dedicated project directory and review the segments.json paths and output directory before execution.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

If the cover helper is used, a frame from the user's video and related prompt text may be shared with the selected image-generation provider.

Why it was flagged

The optional cover helper sends a local reference frame plus prompt/title data to a gpt-image provider through another skill's CLI.

Skill content

cmd = [
        "node", str(GPT_IMAGE_CLI), "--json",
        "--provider", provider,
        "images", "edit",
        "--prompt", prompt,
        "--ref-image", str(ref_image),

Recommendation

Only run make_cover.py when you are comfortable sending the selected frame and prompt to that provider; otherwise use the local compose_cover.py fallback or skip cover generation.