Skillv1.0.0

ClawScan security

cutmv Video Tool · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 26, 2026, 3:43 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose (FFmpeg-based video processing); it needs no credentials or unusual installs and primarily runs local ffmpeg/ffprobe commands.
Guidance: This skill appears to do only local video processing via your system ffmpeg and does not request secrets or network endpoints. Before installing: (1) ensure ffmpeg is from a trusted source (official builds) because the skill will execute it on files you provide; (2) be aware that running ffmpeg on untrusted media can expose ffmpeg vulnerabilities—avoid processing files from unknown sources; (3) if you want maximum assurance, inspect skill.py (particularly the eval() use for frame-rate parsing) and consider replacing eval with a safe parser; (4) note that the repository/source metadata and homepage are missing — if provenance is important, ask the author for a repository or signed release.

Purpose & Capability: okName/description (video cutting, conversion, compression, frame/audio extraction, watermarking, subtitles) align with the code and SKILL.md. The skill only requires FFmpeg on PATH and Python 3.7+, which is appropriate for the claimed functionality. The package does not request unrelated binaries, env vars, or config paths.
Instruction Scope: noteSKILL.md and skill.py direct the agent to run local ffmpeg/ffprobe subprocesses and operate on local files only, which matches the purpose. Minor note: skill.py uses eval(video_stream.get('r_frame_rate', '0/1')) to compute FPS from ffprobe output — this is convenient but introduces a small code-injection risk if ffprobe output is tampered with or maliciously crafted. Otherwise instructions do not read unrelated files or exfiltrate data.
Install Mechanism: okNo install spec; this is an instruction-only skill that expects a system ffmpeg. No remote downloads or extracted archives are executed by the skill, minimizing install-time risk.
Credentials: okThe skill requests no environment variables, credentials, or config paths. All operations are local filesystem and subprocess calls to ffmpeg/ffprobe, which is proportionate to video processing.
Persistence & Privilege: okalways is false and the skill does not request persistent system-wide changes or modify other skill configs. It does not declare autonomous elevation or special privileges beyond normal execution.