Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ffmpeg

v0.1.0

Extract key frames (I-frames) from video files using FFmpeg command line tool. Use this skill when the user needs to pull out keyframes, thumbnails, or impor...

⭐ 0· 29·0 current·0 all-time

by@lnj22

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The SKILL.md clearly describes extracting keyframes with FFmpeg and provides appropriate commands. However, the registry metadata lists no required binaries while the instructions explicitly require 'ffmpeg' to be installed and on PATH. That mismatch is unexpected and should be corrected (requires.binaries should list ffmpeg).

✓

Instruction Scope

The runtime instructions only describe running local ffmpeg commands on an input video and writing output image files. They do not ask the agent to read unrelated files, access secrets, or contact external endpoints.

✓

Install Mechanism

This is an instruction-only skill with no install spec or code to download or execute — lowest install risk.

✓

Credentials

No environment variables, credentials, or config paths are requested. The skill's functionality needs only local ffmpeg and file access, which is proportional to its purpose.

✓

Persistence & Privilege

The skill is not always-enabled and has normal autonomous invocation settings. It does not request elevated or persistent privileges.

What to consider before installing

This skill appears to do what it says (ffmpeg-based keyframe extraction) but the metadata failed to declare that ffmpeg is a required binary and the SKILL.md references a LICENSE.txt that isn't in the package. Before installing, confirm you have ffmpeg on PATH and that you trust any local video files you process. If you maintain the skill, update the registry metadata to list ffmpeg under required binaries and include the LICENSE.txt or remove the reference. Because metadata and files disagree, treat this as a mild red flag rather than a showstopper.

Like a lobster shell, security has layers — review code before you run it.

latestvk976nar0h45m1tkzxqtcmqar6s84tv8b

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

ffmpeg

License

Comments