ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

FCP Assistant

v2.2.0

Auto video production, TTS voiceover, media management, batch export | AI 自动成片、TTS 配音、素材管理、批量导出. Triggers: FCP, Final Cut, make video, auto video, voiceover,...

0· 56·0 current·0 all-time
by@lasbder-ops
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (FCP assistant, auto video/TTS/media management) align with the included scripts (media collection, TTS, auto-assembly, tagging, thumbnails). Required binaries (osascript, ffmpeg, ffprobe, curl, jq) are reasonable for the declared functionality. However, the registry metadata claims no OS restriction while the skill explicitly requires macOS/osascript in SKILL.md—this OS mismatch is an inconsistency. Overall capabilities match purpose but metadata and some defaults are sloppy.
!
Instruction Scope
SKILL.md and scripts instruct the agent to run many shell scripts and to call osascript for FCP automation. Some referenced assets appear missing: the README and SKILL.md call osascript scripts like scripts/check-fcp.scpt, scripts/list-projects.scpt, scripts/open-project.scpt, but .scpt files are not present in the file manifest. Several scripts contact local services (Qwen TTS at 127.0.0.1:7860, Qwen ASR at 127.0.0.1:8000) and external APIs (Pexels, Pixabay). Scripts read/write project files, /tmp, and may create outputs in user directories; that behavior is expected for this tool but the missing .scpt files and hard-coded developer paths (e.g., TTS_OUTPUT_DIR=/Users/stevegao/qwen-tts-webui/outputs) are surprising and could cause unexpected behavior or require editing before use.
Install Mechanism
No install spec provided (instruction/code bundle only), so nothing is fetched/installed by an external installer. The skill ships with shell scripts that will be written as part of the skill package; there is no remote download/install step declared. This is lower install risk, but running the provided scripts will execute local commands (ffmpeg, curl, osascript).
Credentials
The skill declares no required environment variables, which is mostly accurate for basic operation. However, multiple scripts reference optional environment/config items that are not declared: PEXELS_API_KEY (optional for media-collector), TTS host and local output directory defaults (127.0.0.1:7860 and /Users/stevegao/...), and the code uses local ports for ASR/TTS services. No secrets are explicitly requested, but the presence of an undocumented PEXELS_API_KEY usage and hardcoded user paths reduces clarity and could surprise users.
Persistence & Privilege
The skill is not always:on and does not request elevated platform privileges. It will create files under project directories and /tmp when run (normal for a media tool). There is no evidence it modifies other skills or system-wide agent config.
What to consider before installing
This skill appears to implement the advertised FCP/video pipeline, but review and test before trusting it with real projects: - Missing AppleScript files: SKILL.md calls multiple .scpt scripts (check-fcp.scpt, list-projects.scpt, etc.) but those .scpt files are not in the package. Expect to edit the scripts or provide your own .scpt files if you need FCP automation. - Local services required: TTS/ASR calls target local hosts (127.0.0.1:7860 and 127.0.0.1:8000). Ensure you run those services yourself — the skill assumes a local Qwen TTS/ASR stack. It will not contact a remote cloud TTS by default. - Hardcoded developer path: tts/voice scripts default TTS_OUTPUT_DIR to /Users/stevegao/..., which likely does not exist on your machine. Edit script defaults or set appropriate environment variables/directories before running. - Optional API key: media-collector mentions PEXELS_API_KEY (optional). If you supply an API key, it will be used in requests; no explicit secrets are required by the skill, but supplying keys is optional and should be done cautiously. - Network activity: the skill downloads video assets (Pexels) and references public music locations (Pixabay links). If you need an offline or air-gapped workflow, do not run the media-collector or block outbound network calls. - Safety steps before use: run the scripts in a disposable sandbox or inside a throwaway project directory; inspect and, if necessary, edit scripts for paths/ports; verify ffmpeg/osacscript calls on sample files; do not run against sensitive directories. If you rely on the FCP automation, create or supply the missing .scpt files or contact the author for a complete package. Given the above mismatches and surprising defaults, proceed only after addressing missing files and adjusting hardcoded paths; these issues look like sloppy packaging rather than intentionally malicious behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk978hngv3mf2jyft31vs4ht28n83kc1e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
Binsosascript, ffmpeg, ffprobe, curl, jq

Comments