Skillv1.0.0

ClawScan security

小米触屏闹钟视频制作 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 9, 2026, 2:26 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill does what its name/description promise (download, crop, and compress Bilibili videos); the included script and SKILL.md are consistent with that purpose and request no unrelated secrets or privileged access.
Guidance: This skill appears coherent and not malicious, but check the following before installing: 1) Ensure yt-dlp (pip) and ffmpeg/ffprobe are installed and trusted, since the script depends on them but the registry metadata omitted them. 2) The script writes files by default to ~/Documents—change --output_dir if you prefer a different location. 3) The script uses subprocess.run without explicit error handling; run a test on a small file or in a sandbox to confirm behavior. 4) No secrets are requested and there are no hidden network endpoints, but only run code from sources you trust. If you want higher assurance, inspect the included Python script (it is short and readable) and run it locally rather than granting broader automated execution privileges.

Purpose & Capability: noteThe skill's name/description match the provided code and instructions: downloading via yt-dlp, cropping with ffmpeg, and compressing to a target size. Minor inconsistency: the registry metadata lists no required binaries, but SKILL.md and the script require yt-dlp (python -m yt_dlp), ffmpeg and ffprobe to be available.
Instruction Scope: okSKILL.md and the script confine their actions to downloading the provided URL, running ffprobe/ffmpeg and writing output files (default: ~/Documents). The instructions do not request unrelated files, credentials, or network endpoints beyond the video URL.
Install Mechanism: okNo install spec is provided (instruction-only plus a single Python script). This is low-risk: nothing is downloaded automatically by an installer. The user is expected to install yt-dlp and ffmpeg themselves.
Credentials: okThe skill requires no environment variables or credentials. The script uses only standard filesystem and subprocess calls and does not access secrets or other services.
Persistence & Privilege: okalways is false and the skill does not request persistent system privileges or modify other skills/configs. It writes output files to a user-writable directory and then cleans temporary files.