ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Auto Video Editor

v2.0.0

Automated video editing skill for talk/vlog/standup videos. Use when: cutting video, splitting video into sentences, merging video clips, extracting audio, t...

0· 59·0 current·0 all-time
byLiu Jie@maxazure
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and SKILL.md match the described purpose (audio extraction, transcription, sentence-level splitting, subtitle burning, merging clips, Remotion-based generated videos). However the SKILL metadata only declares ffmpeg and python3 as required binaries while the SKILL.md and code clearly require Node.js/npm (Remotion, headless Chrome rendering, npm installs) and a headless browser for cover generation. That mismatch is an incoherence: a user following only the declared install steps may miss important runtime dependencies.
Instruction Scope
Runtime instructions operate on user-supplied media and local index files (media/, transcript.json, render_config.json) and instruct the agent to run Python scripts and npm/Remotion renders. The SKILL.md explicitly instructs editing transcript.json in-place (user confirmation step required). This is expected for a local video-editor, but callers should be aware the agent will modify files in the project directory and download large ML models (Whisper/HuggingFace) and fonts via network.
Install Mechanism
The registry provides a single install spec: brew formula for ffmpeg (reasonable). Other install steps are left to the SKILL.md (pip install faster-whisper, pip openai-whisper, npm install, headless Chrome requirement). That split is acceptable but incomplete: Node/npm and a headless browser are not declared as required binaries in the registry metadata or install spec. The skill will also download models from HuggingFace (or mirrors) and fonts from CDNs — expected but supply-chain/network activity should be considered.
Credentials
The skill does not request credentials or secret environment variables. Optional environment flags (e.g., USE_CN_MIRROR) are used only to choose mirrors. Network access is required for model and font downloads, but no credentials/exfiltration hooks are declared or evident in the code.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent platform privileges. It does modify project-local files (indexes, transcript.json) as part of normal workflow; this is expected for a project-level tool and is limited to the skill's working directories.
What to consider before installing
This skill appears to implement the described video-editing features and operates on local media and transcript files. Before installing/using: 1) Note missing runtime declarations — you need Python3 (declared), FFmpeg (installable via brew), plus Node.js/npm and a headless browser (Chrome/Chromium) to run Remotion and cover-generation; these are not included in the registry install block. 2) The scripts will download Whisper models (heavy, from HuggingFace or mirrors) and npm packages — expect significant network, disk, and CPU/GPU usage. 3) npm install / remotion render will execute third-party JS code (normal for Remotion) — run in a controlled environment if supply-chain risk is a concern (use an isolated VM or container). 4) The agent's runtime instructions modify transcript.json and write outputs under the project/media folders — back up important data first. 5) If you intend to let the agent run autonomously, consider restricting the skill's file-access context or testing manually first. If you want a lower-risk check, ask the maintainer for a fully-detailed install script (including Node/npm/headless browser steps) or run the workflow in an isolated environment and audit network activity during model/package downloads.

Like a lobster shell, security has layers — review code before you run it.

latestvk972tt458rzf7fn4jv811j4nw983r765

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
OSmacOS · Linux · Windows
Binsffmpeg, python3

Install

Install FFmpeg (brew)
Bins: ffmpeg
brew install ffmpeg

Comments