Skillv1.0.2

ClawScan security

Video Extractor Pro · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 16, 2026, 11:33 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and runtime instructions match its stated purpose (extracting frames/clips using ffmpeg); there are no unexpected network calls, credential requests, or strange install steps, but it does run local ffmpeg/ffprobe subprocesses so you should ensure ffmpeg is present and up-to-date and avoid processing untrusted media.
Guidance: This skill appears coherent with its stated purpose. Before installing, consider: (1) ffmpeg/ffprobe must be installed in the agent environment (the script invokes them via subprocess); (2) ffmpeg has had security vulnerabilities in the past—process untrusted or user-uploaded media in a sandboxed environment and keep ffmpeg up to date; (3) the script executes ffmpeg with argument lists (not via a shell), reducing shell-injection risk, but you should still validate file paths you pass to it and avoid giving it arbitrary system paths; (4) no network exfiltration or secret access is requested by the skill, so typical concerns are limited to local resource use and the safety of processed media files.

Purpose & Capability: okName/description (frame/clip extraction) aligns with the included script and _meta.json. The code implements frame extraction, interval extraction, clip extraction/re-encode, GIF creation and info using ffmpeg/ffprobe as expected. No unrelated capabilities or credentials are requested.
Instruction Scope: okSKILL.md is narrowly scoped (features and trigger words) and the script only reads user-supplied video paths and writes outputs. There are no instructions to read unrelated files, environment variables, system configs, or to send data externally. The script executes ffmpeg/ffprobe subprocesses (expected for this task).
Install Mechanism: okNo install spec is provided (instruction-only), and the only external dependency is ffmpeg/ffprobe declared in _meta.json. Nothing is downloaded or written by an installer—low install risk. The agent environment must already have ffmpeg/ffprobe available.
Credentials: okThe skill requests no environment variables, credentials, or config paths. This is proportionate for a local video-processing tool.
Persistence & Privilege: okalways is false and the skill does not modify other skills or system-wide settings. It does not request persistent elevated privileges.