audio-tools
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its audio-processing purpose, but it contains unsafe dynamic code execution and can auto-install unpinned Python packages at runtime.
Install only if you trust the code and dependencies. Avoid using it on untrusted media until the eval call is removed, and approve or perform dependency installation manually with pinned versions where possible.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Processing a crafted or untrusted media file for metadata could potentially run code on the user's machine.
The script evaluates a value derived from media metadata instead of parsing it as a numeric ratio. If an unexpected or attacker-influenced value reaches this field, eval could execute Python code.
"fps": eval(stream.get("r_frame_rate", "0/1")), # 如 "30/1" -> 30.0Replace eval with a safe parser such as fractions.Fraction or explicit numerator/denominator validation before conversion.
The first use of the skill may download and install package code into the local Python environment, which can change the system and introduce supply-chain risk.
If moviepy is missing, the script installs an unpinned package at runtime. This is disclosed as a fallback, but it is not represented as a formal install spec and lacks a separate approval or version pin.
[sys.executable, "-m", "pip", "install", "moviepy"]
Declare dependencies in an install spec or requirements file, pin versions, and require explicit user approval before runtime package installation.