v1.0.0

Feishu Video Editor

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:56 AM.

Analysis

The skill’s video-editing purpose is coherent, but it builds shell commands from user-provided video arguments and has under-scoped Feishu auto-upload behavior, so it should be reviewed before installation.

GuidanceReview and ideally patch the shell-command construction before using this skill. Also confirm exactly how Feishu authentication, upload destination, cleanup, and dependency versions will be managed before processing private or business videos.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution

SeverityHighConfidenceHighStatusConcern

src/index.ts

const args = [ PYTHON_SCRIPT, command, videoPath, '--config', configPath, ...extraArgs ]; const cmd = `python3 ${args.join(' ')}`; ... await execAsync(cmd

The command includes user-controlled values such as videoPath, startTime, and endTime, then runs them through a shell via execAsync without escaping or argument separation.

User impactA crafted video path or crop argument containing shell metacharacters could run unintended commands on the user’s machine when the skill processes a video.

RecommendationReplace shell-string execution with execFile or spawn using an argument array, validate video paths and timestamps, and reject shell metacharacters where they are not needed.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

requirements.txt

openai-whisper>=20230314
librosa>=0.10.0
pydub>=0.25.1
pysrt>=1.1.2
numpy>=1.24.0

The skill depends on external PyPI packages using lower-bound versions rather than pinned versions; this is expected for its video/ASR purpose but leaves install-time dependency resolution broad.

User impactA future dependency version could change behavior or introduce vulnerabilities even if the skill code itself is unchanged.

RecommendationPin dependency versions or provide a lockfile, and document the required FFmpeg/Python dependencies in the registry install metadata.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceMediumStatusConcern

SKILL.md

| **结果上传** | ✅ | 剪辑完成自动上传到飞书 | ... "auto_upload": true

The skill documents automatic upload to Feishu cloud storage, but the provided metadata declares no primary credential, environment variables, or scoped account boundary for Feishu access.

User impactInstalling users may not understand what Feishu account authority, folder, or upload permissions the skill will need or use.

RecommendationDeclare the Feishu authentication method and permission scope, make the upload destination explicit, and require user confirmation or clear configuration before cloud uploads.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

SKILL.md

Skill 下载视频到本地 ... 上传结果到飞书云空间 ... 视频会下载到本地处理

The artifacts disclose a data flow where videos move from Feishu to local processing and then back to Feishu; this is purpose-aligned but involves potentially sensitive media crossing local/cloud boundaries.

User impactPrivate meeting recordings or other sensitive videos may be copied locally and then uploaded to cloud storage as part of normal operation.

RecommendationUse the skill only with videos appropriate for local processing and Feishu upload, and document cleanup, retention, and upload controls clearly.