Skillv1.0.0

ClawScan security

audio-tools · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 22, 2026, 5:27 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are internally consistent with an on-disk Windows-focused audio/video utility; nothing in the package indicates hidden exfiltration or unrelated privileges, but there are some operational choices (bundled executables, runtime pip installs, fixed work directory) you should understand before installing.
Guidance: This skill appears to do what it says: audio/video processing using ffmpeg/moviepy and Whisper. Before installing, consider the following: 1) Bundled ffmpeg: the skill recommends placing ffmpeg.exe in its local bin; that executable will be invoked by the script — only use a ffmpeg binary from a trusted source (official ffmpeg builds). 2) Runtime pip installs: the script auto-installs Python packages (moviepy, and likely whisper) via pip at runtime. That requires network access and will pull code from PyPI; if you need stricter control, preinstall dependencies in a controlled environment. 3) Fixed work directory: it defaults to D:\workbuddy (Windows); ensure you understand where files will be read/written or supply absolute paths to avoid surprises. 4) Sandbox if unsure: if you do not trust the skill owner or the bundled binaries, run it in an isolated VM/container and inspect any bundled executables. 5) This package makes subprocess calls (ffmpeg, pip); those are expected for media tools but mean it can execute local binaries — validate those binaries. If you want extra assurance, review the remaining portions of scripts/audio_tools.py (transcribe/play/metadata implementations) to confirm there are no network callbacks or unexpected remote endpoints.

Review Dimensions

Purpose & Capability: okName/description (audio extraction, clip, play, transcribe, metadata) matches the provided SKILL.md and the included Python script. Required capabilities (ffmpeg, moviepy, whisper) are reasonable for the stated functionality. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope: noteRuntime instructions and the script operate on files under a fixed work directory (D:\workbuddy) and explicitly read/write media files there (or absolute paths provided by the user). The SKILL.md and code instruct the agent to run local python scripts, call ffmpeg/ffprobe/ffplay if present, or use moviepy/whisper. That behavior is expected for the stated purpose, but the fixed Windows work_dir and the practice of preferring a bundled ffmpeg in the skill directory deserve attention (see guidance).
Install Mechanism: noteThere is no formal install spec, but the script performs runtime actions that install dependencies: it will attempt pip installs (moviepy, and likely whisper on first transcribe). This is moderate-risk but proportionate to the functionality. The skill also documents and encourages bundling ffmpeg.exe in its local bin directory — running a local binary is expected for media handling but increases the importance of trusting that binary.
Credentials: okThe skill requests no environment variables, credentials, or external config paths. It only needs standard local filesystem access to the declared work_dir and optional ability to execute ffmpeg or python pip. The lack of secret/credential requests is appropriate for an offline media tool.
Persistence & Privilege: okalways is false and model-invocation/autonomy remains default; the skill does not request permanent platform-wide privileges or modify other skills. It writes outputs to its working directory but does not appear to alter agent configs or other skills.