Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Video Clip
v1.0.0Use when the user wants to trim, cut, or extract a specific segment from a video by time range — e.g. "cut from 1:30 to 3:00", "trim the first 2 minutes", "e...
⭐ 1· 656·2 current·2 all-time
byBoShen@symbolk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The stated purpose (local trimming via ffmpeg) matches the included scripts: scripts/clip.sh performs local stream-copy clipping and only needs ffmpeg. However, SKILL.md also documents an optional 'AI Edit' feature that performs uploads to an external Sparki API and requires SPARKI_API_KEY. That extra capability extends the skill beyond the stated 'local, no API key needed' scope and is not clearly reflected in the skill's declared requirements.
Instruction Scope
The runtime instructions for the primary Clip tool are narrowly scoped and only invoke the local scripts/clip.sh. But SKILL.md includes full example code and step-by-step commands that will upload user video files to an external API (SPARKI_API_BASE pointing at agent-api-test.aicoding.live) and poll for results. Those instructions also show a line that will fail if SPARKI_API_KEY is not set (: "${SPARKI_API_KEY:?Error: SPARKI_API_KEY is required...}"). The presence of explicit upload/poll code in the documentation means an agent following those instructions could transmit user videos off-host — behavior outside the simple clipping purpose.
Install Mechanism
No install spec is provided (instruction-only skill plus a local script). There are no downloads or archive extraction instructions. The included clip.sh is a local Bash script that checks for ffmpeg and runs it; this is low risk from an install mechanism perspective.
Credentials
Declared requirements list no environment variables, but SKILL.md includes an AI Edit workflow that requires SPARKI_API_KEY (and uses openclaw config set env.SPARKI_API_KEY in examples). That is a mismatch: an environment secret (API key) is referenced and effectively required for the AI Edit flow, yet the registry metadata does not declare it. Requesting an API key that would enable uploading user videos to an external service is disproportionate to the core local trimming function unless the user explicitly opts into the AI Edit feature.
Persistence & Privilege
always is false, user-invocable and autonomous invocation defaults are normal. The skill does not request persistent privileges or modify other skills or system-wide configs (other than example instructions showing how to set an env var in openclaw).
What to consider before installing
This skill's local clip.sh is coherent and appears safe for trimming videos locally (it checks for ffmpeg and performs a stream-copy). However, SKILL.md also includes an optional 'AI Edit' workflow that will upload videos to an external Sparki API and requires a SPARKI_API_KEY; that API key is not declared in the skill metadata. Before installing or running any AI Edit examples: (1) confirm you understand and trust the external endpoint (agent-api-test.aicoding.live / sparki.io) and their data retention/privacy policies, (2) do not provide your API keys unless you intend to use that remote service, and (3) if you only need local trimming, run scripts/clip.sh directly and avoid the AI Edit commands. If you want higher assurance, ask the publisher to declare SPARKI_API_KEY in the registry metadata (and provide the official production API base) or remove the upload instructions from the skill if uploads are not intended.Like a lobster shell, security has layers — review code before you run it.
latestvk971v8sf5mjch6rr4fne7mp16h821jnj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
✂️ Clawdis
OSmacOS · Linux
Binsffmpeg