Video Analysis Workflow 视频案例分析助手
PassAudited by VirusTotal on May 9, 2026.
Overview
Type: OpenClaw Skill Name: video-analysis-workflow Version: 1.0.0 The skill implements a complex video analysis workflow that involves downloading content from external platforms (Douyin, Bilibili), executing local AI models (Whisper), and running PowerShell scripts with 'ExecutionPolicy Bypass' for environment setup (SKILL.md). While the behavior aligns with the stated purpose of video analysis, the skill introduces significant security risks, including potential command injection via unvalidated URLs/file paths passed to shell tools like yt-dlp and FFmpeg, and the capability to access sensitive browser cookies for authentication, even if the instructions mandate user consent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Granting this permission could expose logged-in session data to the agent or downloader, not just the single video being analyzed.
The workflow may access local browser cookies, which are session credentials. Although it requires user authorization, the artifacts do not clearly specify which browser/profile/site cookies are read, whether only the target platform is used, or how cookie data is constrained.
如果下载器提示需要 cookies,助手会先询问: > 是否允许读取浏览器 cookies 重试下载? 没有授权时,不会读取浏览器 cookies。
Only authorize cookie access for a specific, trusted download attempt. Prefer manually downloading the video or using a dedicated browser profile with only the needed platform login.
Running an unreviewed setup script could change the local environment or install packages beyond what the registry metadata declares.
The skill documents a first-use setup script that installs FFmpeg, Python, Whisper, openai-whisper, and yt-dlp, but the supplied manifest does not include that script for review. This is aligned with the video-analysis purpose, but its provenance is not verifiable from the artifacts.
powershell -ExecutionPolicy Bypass -File <Skill目录>\scripts\setup-video-case-env.ps1
Inspect the setup script before running it, confirm the package sources, and run it only in an environment where installing media-analysis tools is acceptable.
Saved transcripts, frames, prompts, and metadata could be reused later or shared with teammates if the case library is synced or exposed.
The skill intentionally stores transcripts and structured outputs for later AI workflow reuse. This is purpose-aligned, but it creates persistent local/team knowledge artifacts that may contain private video content or source paths.
同时保留 Whisper 原始文件:`.json`、`.srt`、`.txt`、`.vtt`、`.tsv`,方便后续 AI 工作流调用和人工复查。
Store the case library in a controlled location, avoid adding confidential videos unless appropriate, and review generated notes before sharing or syncing them.