Skillv1.0.0

ClawScan security

Video Analyzer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 23, 2026, 11:58 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, required binaries, and runtime instructions are consistent with its stated purpose (download videos, extract audio/transcripts, capture frames); it does not request unrelated credentials or hidden network endpoints, but users should be mindful of privacy and large model downloads.
Guidance: This skill appears to do what it says — it downloads video/audio, extracts frames, and runs a local Whisper transcription. Before installing or running it, verify you trust the yt-dlp/ffmpeg/whisper binaries on your system (install from official sources), run the scripts in a directory where large downloads and model files are acceptable, and be cautious about transcripts that may contain sensitive information: the README/examples show piping transcripts to 'clawdbot ask' (or other AI services), which would send that text off your machine. Also confirm you have the right to download the target videos and consider running the tool in a sandbox if you handle confidential content. If you want higher assurance, check the referenced GitHub repository (package.json) or inspect the scripts yourself — they are short and readable.

Purpose & Capability: okName/description require yt-dlp, ffmpeg, and whisper; the included scripts call exactly those binaries to download video/audio, extract frames, and run Whisper for transcription. Required binaries and file operations are proportionate to the stated purpose.
Instruction Scope: noteSKILL.md and scripts instruct only local actions (yt-dlp download, ffmpeg/ffprobe, whisper transcription, write outputs to an outputs/ directory). One usage example suggests piping the transcript to 'clawdbot ask' (an external AI CLI) — that would transmit transcript text off-host if used, so users should be aware of potential data leakage when using that step.
Install Mechanism: okNo automated install spec is included (instruction-only); the README/SKILL.md recommend installing yt-dlp, ffmpeg, openai-whisper via brew. No remote download/extract steps or obscure URLs are present in the package itself.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths. All runtime behavior is driven by CLI arguments and local files (config.json is present but not required). This is proportionate to the described functionality.
Persistence & Privilege: okalways is false and the skill does not request persistent system-level privileges or modify other skills' configurations. It only writes output files into its chosen output directory.