Skillv1.0.0

ClawScan security

Video Editor - 视频剪辑 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 9:28 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose and declared local dependencies match its code, but the included Python script appears truncated/corrupted and may not implement or safely run the claimed commands — verify and fix the code before use.
Guidance: This skill is coherent for local video editing, but the bundled Python script appears incomplete/corrupted and likely will not run as-is. Before installing or running: (1) inspect the full scripts/video_editor.py file and restore the missing/garbled portion (the CLI handling looks truncated), (2) run it in an isolated environment or VM, and install dependencies in a virtualenv (moviepy, pillow, numpy, imageio-ffmpeg / ffmpeg), (3) verify there are no hidden network calls or unexpected file accesses, (4) test the commands with non-sensitive sample videos to confirm behavior, and (5) if you’re not comfortable fixing the script, request a clean, complete source from the publisher. If you proceed, avoid running with elevated privileges and keep backups of important files.

Review Dimensions

Purpose & Capability: okThe skill is a local video editor (moviepy + ffmpeg) and the SKILL.md, listed prerequisites (moviepy, pillow, numpy) and the code functions (trim, merge, text, music, etc.) align with that purpose. No unrelated credentials, binaries, or external services are requested.
Instruction Scope: concernSKILL.md instructs the agent to run local CLI commands on user video files (expected). However, the included scripts/video_editor.py in the package appears to be truncated (the CLI "merge" branch ends with 'out = me …[truncated]'), indicating the script is incomplete/corrupted. That makes the runtime instructions unreliable: commands may fail or crash. The script otherwise operates only on local files and fonts and does not attempt network calls, but the truncation is a functional and coherence problem.
Install Mechanism: okThere is no install spec (instruction-only with a bundled script). This is low-risk from an install mechanism perspective, but the user must still install Python dependencies (moviepy, pillow, numpy) and ensure ffmpeg is available; those are reasonable for the stated purpose.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths. The code reads local font file paths (Windows font paths) and user-supplied video/audio files only — reasonable for a local video editor.
Persistence & Privilege: okThe skill does not request persistent elevated privileges and 'always' is false. It does not attempt to modify other skills or system-wide agent settings in the provided files.