Skillv1.0.0

ClawScan security

Video Clip · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 28, 2026, 8:10 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's primary clipping tool is a simple local ffmpeg script (coherent), but the SKILL.md also contains an optional AI Edit workflow that uploads videos to an external service and requires an API key that is not declared in the skill metadata — this mismatch and the external upload behavior warrant caution.
Guidance: This skill's local clip.sh is coherent and appears safe for trimming videos locally (it checks for ffmpeg and performs a stream-copy). However, SKILL.md also includes an optional 'AI Edit' workflow that will upload videos to an external Sparki API and requires a SPARKI_API_KEY; that API key is not declared in the skill metadata. Before installing or running any AI Edit examples: (1) confirm you understand and trust the external endpoint (agent-api-test.aicoding.live / sparki.io) and their data retention/privacy policies, (2) do not provide your API keys unless you intend to use that remote service, and (3) if you only need local trimming, run scripts/clip.sh directly and avoid the AI Edit commands. If you want higher assurance, ask the publisher to declare SPARKI_API_KEY in the registry metadata (and provide the official production API base) or remove the upload instructions from the skill if uploads are not intended.

Review Dimensions

Purpose & Capability: noteThe stated purpose (local trimming via ffmpeg) matches the included scripts: scripts/clip.sh performs local stream-copy clipping and only needs ffmpeg. However, SKILL.md also documents an optional 'AI Edit' feature that performs uploads to an external Sparki API and requires SPARKI_API_KEY. That extra capability extends the skill beyond the stated 'local, no API key needed' scope and is not clearly reflected in the skill's declared requirements.
Instruction Scope: concernThe runtime instructions for the primary Clip tool are narrowly scoped and only invoke the local scripts/clip.sh. But SKILL.md includes full example code and step-by-step commands that will upload user video files to an external API (SPARKI_API_BASE pointing at agent-api-test.aicoding.live) and poll for results. Those instructions also show a line that will fail if SPARKI_API_KEY is not set (: "${SPARKI_API_KEY:?Error: SPARKI_API_KEY is required...}"). The presence of explicit upload/poll code in the documentation means an agent following those instructions could transmit user videos off-host — behavior outside the simple clipping purpose.
Install Mechanism: okNo install spec is provided (instruction-only skill plus a local script). There are no downloads or archive extraction instructions. The included clip.sh is a local Bash script that checks for ffmpeg and runs it; this is low risk from an install mechanism perspective.
Credentials: concernDeclared requirements list no environment variables, but SKILL.md includes an AI Edit workflow that requires SPARKI_API_KEY (and uses openclaw config set env.SPARKI_API_KEY in examples). That is a mismatch: an environment secret (API key) is referenced and effectively required for the AI Edit flow, yet the registry metadata does not declare it. Requesting an API key that would enable uploading user videos to an external service is disproportionate to the core local trimming function unless the user explicitly opts into the AI Edit feature.
Persistence & Privilege: okalways is false, user-invocable and autonomous invocation defaults are normal. The skill does not request persistent privileges or modify other skills or system-wide configs (other than example instructions showing how to set an env var in openclaw).