ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

RoughCut

v1.0.0

Run RoughCut headlessly on macOS to generate Final Cut Pro (FCPXML) rough-cut timeline variants from a talking-head video — local-first, no media upload.

0· 632·0 current·0 all-time
by@samergmtm22
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (headless RoughCut -> FCPXML variants) align with the declared requirements: ffmpeg, python3, node/npm, curl and a shell runner are reasonable for a media-processing runner that invokes local scripts. The skill requires the RoughCut repo to be present locally, which matches the described operation.
Instruction Scope
SKILL.md keeps scope narrow: it asks the agent to verify a local video path or a user-provided download URL and to invoke a script inside the local repo ($REPO_ROOT/scripts/openclaw/roughcut.sh). That is expected, but running a user-local shell script means the agent will execute arbitrary code from the repo — the skill does not bundle or vet that code, so the user must ensure the repo at REPO_ROOT is trusted and matches the referenced GitHub project.
Install Mechanism
No install spec (instruction-only) — nothing is downloaded or installed by the skill itself. This minimizes installation risk; the skill assumes required binaries are already installed.
Credentials
The only declared credential is GEMINI_API_KEY, and the SKILL.md documents it as optional and only used for fluff removal. No unrelated secrets or many environment variables are requested. If fluff removal is disabled, the key is unnecessary.
Persistence & Privilege
always is false and there is no install that persists code or modifies other skill/system configs. The skill does instruct running a local script, but it does not request persistent privileges or force-inclusion.
Assessment
This skill is coherent with its purpose, but exercise normal caution: verify that the RoughCut repo exists at the REPO_ROOT you point to and audit $REPO_ROOT/scripts/openclaw/roughcut.sh before running (it will be executed by the agent). GEMINI_API_KEY is optional — only provide it if you enable fluff removal and you trust the model call. Prefer running the script manually once to confirm behavior and outputs, and ensure OUTPUT_ROOT and REPO_ROOT point to safe directories (so downloaded video and intermediate files aren't saved into sensitive locations).

Like a lobster shell, security has layers — review code before you run it.

latestvk9719as3tpfpa26fc0vfy8ym6x81781f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

OSmacOS
Binsbash, python3, curl, ffmpeg, node, npm
Configskills.entries.roughcut.config.repo_root, skills.entries.roughcut.config.output_root
Primary envGEMINI_API_KEY

Comments