ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Audio Editor

v1.0.0

Perform audio editing tasks including trimming, volume adjustment, format conversion, and extracting audio from video files using natural language commands.

0· 889·9 current·11 all-time
by@jwl1992
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Skill claims audio editing and the script performs ffmpeg-based operations, which is consistent. However the registry metadata lists no required binaries while SKILL.md names ffmpeg >= 5.0; the script also relies on grep -P and bc but those are not declared. This mismatch between declared requirements and actual runtime needs is worth noting.
!
Instruction Scope
The runtime script (scripts/audio_run.sh) parses natural-language input but falls back to echoing the raw user-provided string and then runs eval on it. That means if the command doesn't match the simple parsing rules the script will execute arbitrary shell code supplied by the user. Constructed ffmpeg commands are built without robust quoting/escaping, so malicious or malformed filenames or input could lead to command injection or unintended shell execution. The SKILL.md does not warn about this behaviour or limit allowed inputs.
Install Mechanism
No install spec (instruction-only plus a helper script). Nothing is downloaded or written by an installer, which reduces supply-chain risk. The script itself will run locally when invoked.
Credentials
The skill requests no credentials or special environment variables. It does use $HOME for a default output path and expects ffmpeg, grep (with -P support), and bc to be available — these are reasonable for audio processing but were not fully declared in registry metadata.
Persistence & Privilege
always is false and the skill is user-invocable only. It does not request persistent system-wide changes or modify other skills/configs.
What to consider before installing
This skill performs audio work with ffmpeg, which matches its description, but the included script constructs shell commands and uses eval on user-provided text. That allows arbitrary shell execution if input is not strictly controlled. Before installing or running: (1) ensure you trust the skill source; (2) inspect and test the script in a safe environment; (3) do not run it with untrusted natural-language inputs; (4) consider patching the script to remove eval, build command arrays, properly quote/escape filenames, and whitelist acceptable operations; (5) ensure ffmpeg, grep -P, and bc are available. If you need the same functionality in a higher-security context, prefer a version that avoids eval and validates inputs.

Like a lobster shell, security has layers — review code before you run it.

latestvk974j990n8870c5gz6knc221z9820afp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments