ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pub Vidframes

v1.0.0

Extract frames or short clips from videos using ffmpeg. And also 50+ models for image generation, video generation, text-to-speech, speech-to-text, music, ch...

0· 176·0 current·0 all-time
by@martinpollitt
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description emphasize extracting frames or short clips using ffmpeg, but the SKILL.md contains no ffmpeg commands, no instructions for local file processing, and the skill does not declare ffmpeg as a required binary or provide commands to install or run it. Instead, the documentation is centered around a remote 'heybossai' API and many model calls. This is an incoherence: a local ffmpeg-based feature would legitimately require ffmpeg and file access, which are absent.
!
Instruction Scope
Runtime instructions are curl examples that call https://api.heybossai.com/v1 with Authorization: Bearer $SKILLBOSS_API_KEY and examples include sending audio as BASE64 or downloading results. The skill metadata allows Bash and Read tools (so the agent may read local files). Because examples show base64 audio uploads and generic 'run' endpoints, the agent could be instructed to read and transmit arbitrary local files or sensitive content to the remote API — the SKILL.md does not constrain what should or should not be uploaded.
Install Mechanism
Instruction-only skill with no install spec or downloaded code; nothing is written to disk by an installer. This is the lowest-risk install mechanism from a persistence/execution perspective.
Credentials
The only required environment variable is SKILLBOSS_API_KEY, which fits the documented use of a proxy API. However, that single key grants broad access to invoke many third-party models via the SkillBoss service (and likely incurs billing). Treat the key as highly privileged and limit its scope/permissions if possible.
Persistence & Privilege
always is false and there is no install step that modifies other skills or system-level config. The skill can be invoked autonomously (platform default) but it does not request elevated installation privileges.
What to consider before installing
This skill is inconsistent: it claims ffmpeg-based local frame extraction but only documents calling a remote API (heybossai) using SKILLBOSS_API_KEY. Before installing, confirm which behavior you expect. If you need local ffmpeg-based extraction, ask the author for explicit ffmpeg commands or a declared binary requirement. If you accept using the remote service, treat SKILLBOSS_API_KEY as highly sensitive — create a limited/revocable key, monitor billing, and avoid sending private files or secrets to the API. Also consider the unknown source and lack of homepage/documentation: ask the publisher for provenance and a privacy/billing policy before trusting this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk971xh74bfnwy48pc8nh4hzdjn82skgs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSKILLBOSS_API_KEY
Primary envSKILLBOSS_API_KEY

Comments