ClawHub
Back to skill
v1.2.1

Clips Machine

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:27 AM.

Analysis

This appears to be a coherent video-clipping skill that uses local media tools and saves transcripts/clips locally, with no artifact evidence of hidden credential use, exfiltration, or destructive behavior.

GuidanceBefore installing, be comfortable with installing and running ffmpeg, yt-dlp, and whisper-cpp locally. Use trusted video inputs, follow copyright/platform rules, and remember that transcripts and summaries of processed videos will be saved in the output folder.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
clips_machine.py
"yt-dlp", "--no-exec", "--no-playlist"

The code invokes local command-line tools to download and process media. This is central to the skill's purpose, and the shown call uses argument lists plus yt-dlp safety options rather than shell execution.

User impactThe skill will run media-processing programs on your machine and may download videos from supported sites when you provide a URL.
RecommendationUse it with video sources you trust and keep ffmpeg, yt-dlp, and whisper-cpp installed from reputable sources.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
brew install ffmpeg yt-dlp whisper-cpp

The setup depends on external binaries and package managers. This is disclosed and expected for local video processing, but the dependency versions are not pinned in the artifact.

User impactInstalling the required tools brings in software outside the skill itself, so your risk depends partly on those installation sources.
RecommendationInstall dependencies from trusted package repositories and update them normally.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
SKILL.md
transcript.json      # Full transcript with timestamps

The documented output includes persistent transcript and analysis files. This is purpose-aligned, but it can preserve private spoken content from the input video.

User impactIf you process private recordings, their spoken contents may be saved as local transcript and summary files.
RecommendationReview the output folder after use and avoid processing confidential videos unless you are comfortable storing their transcripts locally.