Video Content Analyzer (Batch)
AdvisoryAudited by Static analysis on May 6, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run against a production Supabase project, the agent may have broad database write authority beyond a single user's normal permissions.
The code uses a Supabase service-role key for database operations. That is high-privilege access, and the skill also accepts a user_id parameter without showing authorization checks.
self.service_key = service_key or os.getenv("SUPABASE_SERVICE_ROLE_KEY") ... self.client: Client = create_client(self.supabase_url, self.service_key)Use least-privilege, user-scoped credentials where possible; validate user_id ownership server-side; clearly declare the required credentials in metadata; and avoid giving the skill a production service-role key unless fully trusted.
Video keyframes could become publicly viewable if stored in that bucket.
The supplied schema creates a public storage bucket and public read policy for extracted frames, which may be sensitive if frames from private videos are stored there.
('extracted-frames', 'Extracted video frames', true); ... create policy "Public can view extracted frames" on storage.objects for select using (bucket_id = 'extracted-frames');Make extracted-frame storage private by default, use signed URLs or per-user access policies, and disclose any public sharing before setup.
Installing the skill could introduce unrelated ongoing-watch behavior or confuse the agent about what work it should continue doing.
The package contains an active watch instruction for an unrelated deal-desk workflow, not the video analyzer.
## Active Watch — dealdesk-review-window - Watch path: /workspace/run/project/incoming/ - On change: re-read new or modified files, update tracker...
Remove unrelated heartbeat/watch files from the skill package, or explicitly isolate them from the video analyzer.
The agent may route outputs, use paths, or preserve blockers based on unrelated remembered context rather than the user's video-analysis task.
Persistent memory/preferences for an unrelated workflow are bundled with the skill and could be over-trusted by an agent after installation.
## Family Preference Token — dealdesk-review-window - tracker-path: tracker/dealdesk-review-window.md - summary-path: reports/dealdesk-review-window-summary-2026-03-29.md
Do not ship workspace memory with the skill unless it is essential, clearly scoped, and namespaced to the skill's purpose.
The installed package may expose or encourage unrelated browser automation and session-state handling that the user did not expect from a video-analysis skill.
A separate browser-automation skill with cookie/storage persistence is bundled inside the video analyzer package, but it is not part of the stated video workflow.
Headless browser automation CLI ... State Persistence ... agent-browser state save auth.json
Remove the nested browser skill or publish it separately with its own review, metadata, and user consent.
Users may trust generated wiki reports as real video-content analysis even though the current implementation appears generic or demo-like.
The skill is presented as video content analysis, but the code shown does not actually derive search terms or tags from frame content.
content_tags=[] # Would be populated by OCR/vision model in production ... search_query = f"reference information for frame content"
Clearly label this limitation, or add actual OCR/vision analysis before publishing reports as content findings.
Running batch processing can create many persistent wiki pages in the selected Feishu space.
The skill intentionally creates pages in a Feishu Wiki space. This is disclosed and purpose-aligned, but it is still a third-party account mutation.
Publish individual analysis pages to Feishu Wiki ... Create a category index page per category linking to all its video analyses
Use a test space first, review generated content, and ensure the Feishu app only has the permissions needed for the target space.
The skill depends on local ffmpeg behavior and will process user-supplied media files, which should be done in a reasonably sandboxed environment.
The skill invokes ffmpeg through ffmpeg-python to parse and extract frames from videos. This is central to the purpose, but the registry metadata does not declare ffmpeg as a required binary.
ffmpeg.input(video_path, ss=time_seconds).output('pipe:', vframes=1, format='image2', vcodec='mjpeg', qv=quality).run(...)Declare ffmpeg as a required binary and keep it updated; avoid processing untrusted media in a privileged environment.