Skillv1.0.2

ClawScan security

short-video-content-replicator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 8, 2026, 1:17 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's high-level purpose (a 6-step short-video processing workflow) matches the orchestration code, but it depends on many external sibling 'atomic' skills and references several local wrapper scripts that are not present — this mismatch and the fact it will execute arbitrary scripts from a sibling skills/ tree are concerning and deserve review before use.
Guidance: This skill is an orchestrator that runs other Python scripts in a sibling skills/ directory. Before installing or running it: 1) Verify that the referenced child skills (link-resolver-engine, mp4-to-mp3-extractor, purevocals-uvr-automator, turbo-whisper-local-stt, llm-text-correct, funasr-punctuation-restore) are present and come from trusted sources. 2) Inspect those child scripts for network calls, credential usage, or unexpected behavior — the orchestrator will execute them with your user privileges. 3) Note several wrapper scripts referenced by replicate.py (audio_to_text.py, correct_text.py, punctuation_restore.py, video_snapper.py) are not bundled here; confirm where they come from to avoid accidental execution of unintended code. 4) Run in a sandbox or on non-sensitive data first, and check for any environment variables or keys the child scripts require. If you cannot verify the provenance of the sibling skills, do not run this skill.

Review Dimensions

Purpose & Capability: noteThe name/description (download → extract → separate → transcribe → correct → punctuate) aligns with the script's orchestration role. However the orchestrator expects multiple other skills (link-resolver-engine, mp4-to-mp3-extractor, purevocals-uvr-automator, turbo-whisper-local-stt, llm-text-correct, funasr-punctuation-restore) to exist as sibling directories. That dependency is reasonable for an orchestrator, but callers should expect those external skills to be required. Also the replicate.py references a few scripts (audio_to_text.py, correct_text.py, punctuation_restore.py, video_snapper.py) that are not present in this package — a missing/ inconsistent file set.
Instruction Scope: concernThe SKILL.md and replicate.py instruct the agent to spawn subprocesses that run many other scripts. The orchestrator will resolve a top-level skills/ directory and execute scripts from sibling skill folders — this effectively grants it permission to run arbitrary code present in that directory tree. The skill's instructions do not read unrelated system files or environment variables themselves, but the external scripts it calls could. Also several wrapper scripts the orchestrator expects to call are not bundled, so runtime behavior depends on the environment's layout.
Install Mechanism: okNo install spec; it's instruction-only with one Python script. Nothing is downloaded or installed by the skill itself — low install risk. The only declared runtime dependency is python, which is appropriate.
Credentials: okThe skill declares no required environment variables or credentials. That is proportionate to an orchestrator. Caveat: the external child scripts it invokes (downloaders, transcribers, etc.) might require API keys or credentials not declared here — the orchestrator does not surface or validate those.
Persistence & Privilege: okalways is false and user-invocable is true. The skill does not request elevated platform persistence or modify other skills' configs. However, because it executes sibling scripts, an installed instance gains runtime ability to run arbitrary code present in the skills/ tree when invoked.