RenderIO ffmpeg
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only skill coherently documents how to use RenderIO's cloud FFmpeg API, but users should notice that media and API credentials are sent to an external provider.
This appears appropriate for a cloud FFmpeg integration. Before installing or using it, make sure you trust RenderIO with the media you process, keep the API key secure, and review each command and file/URL before submitting a job.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked, the agent can submit media-processing jobs to RenderIO using the user's API key.
The skill enables command-line/API submission of FFmpeg jobs. This is central to the stated RenderIO FFmpeg-as-a-Service purpose, but users should review commands and input/output filenames before submission.
allowed-tools: Read, Write, Edit, Bash, WebFetch ... curl -X POST https://renderio.dev/api/v1/run-ffmpeg-command
Confirm the FFmpeg command, input URLs/files, and output names before allowing a job to be submitted.
The API key may grant access to the user's RenderIO account and any associated quota or billing.
The skill uses a RenderIO API key to authenticate requests. This is expected for the provider integration, but the registry metadata does not declare a primary credential or required env var.
export RENDERIO_API_KEY="ffsk_your_api_key_here" ... -H "X-API-KEY: $RENDERIO_API_KEY"
Store the key securely as an environment variable, avoid pasting it into chats or files, and revoke or rotate it if exposed.
Media URLs, processing instructions, and generated outputs may be visible to or stored by RenderIO, and signed URLs may allow access to results.
The skill sends processing commands and media references to an external provider, and the provider stores resulting outputs. This is purpose-aligned but creates an external data boundary users should understand.
You send an FFmpeg command over HTTP; RenderIO runs it in a secure cloud sandbox, stores outputs automatically, and returns signed download URLs.
Only process media you are allowed to share with RenderIO, and handle signed output URLs as sensitive links.