ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Arch Video Cut

v1.0.4

自动合并建筑视频,生成字幕和背景音乐,输出横屏与竖屏双版本,支持自学习优化剪辑偏好。

0· 212·0 current·0 all-time
by@baushua
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and SKILL.md implement video merging, subtitle burning, BGM generation, and a preference learner — all consistent with the description. Requested tools (ffmpeg, ffprobe) are appropriate. However the scripts reference a hard-coded absolute audio path (/Users/baushua/Desktop/新录音 74.m4a) and a specific Homebrew cellar path for ffmpeg (/usr/local/Cellar/ffmpeg-full/8.0.1_3/bin/ffmpeg), which are not generally applicable and suggest copy/paste or test artifacts rather than required capabilities.
!
Instruction Scope
SKILL.md tells the agent/user to run the included Python scripts and install ffmpeg/faster-whisper — appropriate. But the runtime instructions and scripts assume specific filesystem locations (exact Desktop filename and Homebrew cellar path) and reference inconsistent skill directories in documentation (doubao-skill-v2 vs arch-video-cut). The scripts read and write local files only; there are no network calls. Still, the hard-coded paths give the code broad file access expectations that may unexpectedly read files on the host.
Install Mechanism
No install spec (instruction-only) and no external downloads — low installation risk. The SKILL.md asks the user to install ffmpeg-full via brew and optionally faster-whisper via pip; those are reasonable. The code, however, uses a precise Homebrew cellar path instead of invoking 'ffmpeg' on PATH, which is brittle and may fail or cause unexpected binary usage if the path exists and points to a different binary.
Credentials
No environment variables or external credentials are requested. The script stores preferences in a local config under the skill. The main proportionality concern is the hard-coded absolute AUDIO_FILE path (reads from /Users/baushua/Desktop/...), which is not a credential but does implicitly assume and read a user-specific location — this should be parameterized.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It writes/reads its own config under the skill workspace and does not modify other skills or global agent settings. Persistence is limited to the local preference JSON and output files in the skill's data/ directory.
What to consider before installing
This package appears to implement the advertised local video-editing features, but it has several sloppy or brittle choices you should fix before running: 1) Update the hard-coded AUDIO_FILE path (/Users/baushua/...) to a path you control or make it a CLI/config parameter — otherwise the script will try to read that exact Desktop file. 2) Replace the hard-coded ffmpeg binary path with a generic 'ffmpeg' on PATH (or allow configuring the ffmpeg path) because the cellar path will not exist for most users. 3) Note the README/guide inconsistencies (references to doubao-skill-v2); double-check config file locations (config/user_preferences.json) so you know where preferences will be written. 4) Inspect the scripts locally before running, run them in a sandbox or temporary account if possible, and back up any important files. If you plan to run this on a CI or multi-user machine, parameterize input/output paths and confirm ffmpeg behavior. These issues look like sloppy engineering rather than intentional malice, but they increase the chance of accidental file reads or failures — proceed only after making the paths explicit and reviewing the code.

Like a lobster shell, security has layers — review code before you run it.

aivk9754nxayg6effb0ggw7z3tzwh835kmharchitecturevk9754nxayg6effb0ggw7z3tzwh835kmheditingvk9754nxayg6effb0ggw7z3tzwh835kmhffmpegvk9754nxayg6effb0ggw7z3tzwh835kmhlatestvk9754nxayg6effb0ggw7z3tzwh835kmhvideovk9754nxayg6effb0ggw7z3tzwh835kmh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments