ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Organise videos

v1.0.0

Organize a video folder by cleaning non-video files, removing short/bad videos, and classifying videos into numbered subfolders using AI vision analysis.

0· 210·0 current·0 all-time
byPat@lemondepat
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill says no required binaries or env vars, but the SKILL.md consistently uses ffmpeg, ffprobe, bc, find, mkdir, mv, rm and shell utilities. That is an incoherence: a user running this skill will need those binaries available. Requesting filesystem operations (move/delete) is consistent with 'organise videos', but the missing declared prerequisites is a problem.
!
Instruction Scope
The instructions instruct the agent to scan a user-supplied folder, list and move or permanently delete files, extract frames into /tmp, and use an AI vision analysis step (Read tool) on images. Deletions are gated by AskUserQuestion in the flow, but many code snippets show unconditional rm/mv commands (no safety flags), placeholders like '[non-video files]' that could be mis-substituted, and use of a fixed /tmp directory (possible symlink/TOCTOU risks). The AI analysis step implies sending extracted frames to the model — the SKILL.md does not state whether image data stays local or is sent to an external service, so there is a privacy risk.
Install Mechanism
This is an instruction-only skill with no install spec, so nothing is written to disk by the skill itself. That reduces installer risk. However, it still depends on external binaries at runtime (see purpose_capability).
Credentials
The skill declares no environment variables or credentials — that matches its stated purpose. There is no request for unrelated secrets or config paths.
Persistence & Privilege
The skill is not forced-always and does not request persistent/global privileges. It is user-invocable and can be run autonomously per platform defaults, which is normal. No evidence it modifies other skills or system-wide agent settings.
What to consider before installing
Before installing or running this skill: (1) Understand it will run shell commands that can permanently delete or move files — make a backup or test on a copy of your folder first. (2) Ensure the runtime environment has ffmpeg and ffprobe (and bc, find, standard shell utilities); the skill fails silently if these are missing but it does not declare them. (3) Ask where the AI vision analysis runs — extracted frames may be sent to an external model or API, which could expose your video content; ask the skill author how images are handled and whether processing is local. (4) Be cautious about the provided shell snippets: they use fixed temp paths (/tmp/video_frames) and plain rm/mv commands without safety checks — consider running interactively or adding safety flags and validation. (5) Prefer installing only if you trust the owner or can inspect/modify the SKILL.md to add explicit binary requirements and safer command usage.

Like a lobster shell, security has layers — review code before you run it.

latestvk97atc3kpwv590ehdnnf8jrjw582mkqg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments