Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Video Stitcher
v1.0.0视频片段拼接和后期处理。输入视频片段列表,输出完整视频。支持转场效果、背景音乐、字幕叠加。底层使用 FFmpeg 或 Remotion。触发词:拼接视频、合并视频、视频剪辑、video stitch、concatenate videos、add transitions。
⭐ 0· 192·1 current·1 all-time
byOlivia_Pp@oliviapp8
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md clearly describes video stitching using FFmpeg or Remotion which is coherent with the skill name/description. However the registry metadata lists no required binaries or runtime dependencies even though the instructions assume FFmpeg (and optionally Remotion/Node). The absence of declared runtime requirements is an inconsistency: a user installing this skill would reasonably need FFmpeg and/or a Node/Remotion environment.
Instruction Scope
The runtime instructions stay within the stated purpose: validating clip accessibility, normalizing formats/resolutions, building ffmpeg filter graphs, and running rendering. They reference creating files (e.g., list.txt), reading local paths and URLs, and executing ffmpeg commands. These are expected for a video-stitcher. Note: steps like "verify all clips are accessible" and accepting clips as URLs are somewhat vague and grant the agent discretion to fetch remote resources and access local files—this is operationally normal but should be acknowledged by an operator.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — lowest install risk. No external downloads or install actions are specified in the metadata or SKILL.md.
Credentials
The skill declares no required environment variables or credentials, which fits its offline media-processing purpose. But it implicitly requires system binaries (FFmpeg) and possibly Node/Remotion; those runtime needs are not declared. That mismatch (no 'required binaries' listed while examples call ffmpeg and Remotion) reduces proportionality transparency and may surprise users or operators.
Persistence & Privilege
The skill does not request 'always' presence and does not modify other skills or system-wide configuration. Autonomous invocation is allowed (platform default), which is reasonable for a user-invocable tool of this type.
What to consider before installing
Before installing or enabling this skill, note the following: (1) it expects FFmpeg (and possibly a Node/Remotion environment) even though the registry metadata lists no required binaries—ensure those runtimes are installed and sandboxed if needed; (2) the skill's runtime steps accept local file paths and URLs and run ffmpeg commands, so avoid passing untrusted remote URLs or arbitrary local paths (these could cause unexpected network fetches or process/file access); (3) video rendering is CPU/disk intensive—run large renders in controlled environments and check resource limits; (4) review any ffmpeg command lines generated before execution to avoid unsafe command injection if user-supplied inputs are concatenated into shell commands; and (5) if you need stricter assurance, ask the publisher to update metadata to declare required binaries and provide a minimal test script or provenance (homepage/source) so you can verify expected behavior. Because of the metadata/instruction mismatch, proceed cautiously or run the skill in an isolated/sandboxed environment.Like a lobster shell, security has layers — review code before you run it.
latestvk97ce11qtk9ychag318tc9km7183cwx3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.