Skillv1.0.0

ClawScan security

Youtube Clip Curator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 10:52 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose: an instruction-only helper that analyzes transcripts or supplied video files/URLs to propose clip candidates, and it does not request unrelated credentials or install code.
Guidance: This skill appears to do what it says, but before installing or running it consider: (1) If you provide a local MP4 path, the agent will need access to that file — only supply files you trust. (2) If you provide a YouTube URL and expect the agent to fetch the video, ensure the agent has permission/tools to download (yt-dlp/ffmpeg) or instead paste a transcript to avoid downloads. (3) The skill does not request API keys or credentials — don't supply unrelated secrets. (4) Ask for a small test run (3–5 clips) first to verify the output format and that any optional FCPXML/Resolve files meet your NLE workflow requirements.

Review Dimensions

Purpose & Capability: noteName/description match the instructions: the SKILL.md focuses on analyzing transcripts or supplied video files/YouTube URLs and producing ranked clip metadata and optional NLE (FCPXML/Resolve) outputs. Minor mismatch: the doc mentions handling YouTube URLs and MP4 paths but the skill declares no required binaries (e.g., yt-dlp/ffmpeg) or network fetch behavior — if the agent will download or transcode video, it will need tools/permissions not enumerated here.
Instruction Scope: okThe runtime instructions stay within the task: ask for a YouTube URL / MP4 path / transcript, request style/template and clip counts, analyze the transcript, and produce JSON and optional NLE/thumbnail outputs. There are no instructions to read unrelated system files, request unrelated credentials, or exfiltrate data to third-party endpoints.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files — lowest-risk install footprint. Nothing is downloaded or written by an installer in the registry metadata.
Credentials: okThe skill requires no environment variables, credentials, or config paths. The data it asks for (transcript, MP4 path, YouTube URL) is appropriate for its purpose. Note: providing local MP4 paths implies the agent will need file access; providing a YouTube URL implies the agent may fetch remote content — both are proportional but require user awareness of file/network access.
Persistence & Privilege: okThe skill does not request always:true and uses default invocation settings. It does not modify other skills or system-wide settings in its instructions.