Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Visual models analyze video to generate reports and highlight frames, provided by the Vidu API.
v1.0.1Extract and analyze keyframes from MP4, MOV, AVI videos to identify themes, generate reports, and provide 3 representative screenshots.
⭐ 0· 98·1 current·1 all-time
byVidu AI@x-jihua
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md and shipped script rely on ffmpeg/ffprobe for extraction and reference a Feishu inbound path and sending output via Feishu, but the skill metadata lists no required binaries, env vars, or config paths. The use of ffmpeg/ffprobe is legitimate for video processing, and Feishu integration can be reasonable, but the metadata omission is an incoherence that could lead to runtime failures or hidden assumptions about platform integrations.
Instruction Scope
The runtime instructions stay within the stated purpose (download video, extract keyframes, analyze images, send report). They reference a specific agent filesystem path (~/.openclaw/media/inbound and ~/.openclaw/media/keyframes) and instruct sending results via Feishu. The instructions do not ask to read unrelated files or export data to unknown network endpoints, but they implicitly rely on platform-level Feishu messaging capabilities and an 'image' vision tool (which will send frames to whatever model backend the agent uses).
Install Mechanism
This is instruction-only with a small helper script — no install spec, which reduces supply-chain risk. However, the skill requires ffmpeg/ffprobe to be present on PATH; that dependency is not declared in metadata. Because extract_keyframes.sh invokes ffmpeg directly, the operator should ensure ffmpeg is installed from a trusted source.
Credentials
The skill declares no required environment variables or credentials, yet the SKILL.md mentions sending output via Feishu. If sending via Feishu requires credentials or tokens on the agent, those are not declared here. Additionally, the analysis step uses an 'image' vision tool — processing keyframes will transmit image data to the configured model backend, which may expose sensitive visual content; this risk is expected for this kind of skill but should be acknowledged and matched to declared policies/credentials.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide settings, and only writes to its own output directory (~/.openclaw/media/keyframes). The script clears keyframe_*.jpg files in its output directory but does not attempt to alter other config files or credentials.
What to consider before installing
Before installing or enabling this skill:
- Confirm ffmpeg/ffprobe are installed and from a trusted package (the script depends on these but the metadata does not declare them).
- Verify how Feishu integration is handled on your agent: if the skill expects to send messages via Feishu, ensure appropriate credentials/tokens are present and intentional — the skill metadata does not list any Feishu env vars.
- Understand that the 'image' vision analysis will send extracted frames to whatever model/backend the agent is configured to use; do not analyze sensitive or private video content unless you trust that backend.
- Review and, if desired, run the included extract_keyframes.sh in a safe test environment to confirm it behaves as expected (it appears benign: it validates input, creates an output dir, clears keyframe files in that dir, and invokes ffmpeg).
- Consider asking the skill author (or the registry owner) to update metadata to list required binaries (ffmpeg/ffprobe) and to clarify any required platform credentials (Feishu) before trusting it in production.Like a lobster shell, security has layers — review code before you run it.
latestvk975784m9eyvqwfrs0jvmk9411839frw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.