Back to skill
Skillv4.0.1
ClawScan security
Video Toolbox · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 24, 2026, 1:51 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill is internally consistent with its description: it only provides local text reference output and does not request credentials, perform network calls, or access unexpected system resources.
- Guidance
- This skill appears to be a simple, local reference tool that prints documentation. Before installing, you can: (1) verify the GitHub repo/homepage if you want provenance; (2) inspect the included scripts (already done) — they only emit static text and do not perform network I/O or read secrets; (3) note a minor inconsistency (SKILL.md lists version 4.0.1 while the script sets VERSION=4.0.0 and the help text uses single quotes so $VERSION won't expand) — this is a functional bug, not a security issue. If future versions add network calls or request environment variables, re-evaluate those changes before enabling the skill.
Review Dimensions
- Purpose & Capability
- okThe name/description promise a local reference for Video Toolbox concepts and best practices. The included script and SKILL.md implement exactly that (printing heredoc reference text). There are no unrelated requirements (no binaries, env vars, or config paths).
- Instruction Scope
- okSKILL.md instructs the agent to output plain-text reference content via heredocs and explicitly states no external API calls or credentials are needed. The script only prints static documentation strings and does not read files, environment variables, or contact network endpoints.
- Install Mechanism
- okThere is no install spec (instruction-only). One script file is included; it is a simple bash script that emits documentation. No downloads, package installs, or archive extraction are present.
- Credentials
- okThe skill declares no required environment variables or credentials and the code does not access any env vars or secrets. No credential-like variables or config paths are requested.
- Persistence & Privilege
- okalways is false (default) and the skill does not request persistent/system-level changes. The agent may invoke it autonomously (platform default), but the skill itself does not modify other skills or global configuration.