ClawHub
Back to skill
v1.0.0

Video Post Production

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:34 AM.

Analysis

This skill appears to do the advertised local video post-production work, with the main cautions being local command execution, an unpinned dependency install, and transcript files saved beside the video.

GuidanceBefore installing, be comfortable with the agent running ffmpeg/Python locally, installing faster-whisper from your package source, and creating transcript and render files beside the input video. Use trusted dependency sources, check optional BGM/SFX licensing, and delete intermediate transcript files if the video contains sensitive content.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
SKILL.md
python3 <skill-path>/scripts/render_video.py ... --input "<input_video>" ... --output "<workdir>/final.mp4"

The workflow explicitly runs bundled Python scripts and ffmpeg-based processing to render the user's video. This command execution is disclosed and central to the skill's purpose.

User impactThe agent may run local video-processing commands that read the input video, use CPU/GPU/disk, and create or overwrite files in the working output directory.
RecommendationUse the skill only on videos and output paths you intend to process, and review the generated output directory before sharing files.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
pip3 install faster-whisper

The setup guidance installs an external Python package without a pinned version or checksum. This is purpose-aligned for transcription, but it depends on package-source trust.

User impactInstalling the dependency may pull whatever package version is current in the configured Python package index.
RecommendationInstall dependencies from a trusted environment, consider pinning a known-good version, and avoid running the setup with unnecessary privileges.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
scripts/align_speech.py
"text": segment.text.strip(), "words": words_data

The transcription script writes spoken text and word-level timing into the alignment JSON. That is expected for subtitle generation, but it persists private speech as text.

User impactIf the raw video contains sensitive speech, the output folder will contain a readable transcript and timing data in addition to the rendered video.
RecommendationKeep the output directory in a trusted location and delete alignment or plan files when you no longer need them.