Skill Video Caption Overlay
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: skill-video-caption-overlay Version: 1.0.0 The skill is classified as suspicious due to a hardcoded, non-portable file path in `scripts/overlay.py`. The script defaults to `/home/aladdin/.local/share/fonts/Montserrat-Black.ttf` and `/home/aladdin/.local/share/fonts/Montserrat-Bold.ttf` for font files if not explicitly provided. While not directly malicious, this constitutes a vulnerability as it leaks a specific username ('aladdin'), is unlikely to work for most users, and accesses a path outside the skill's bundle and common system-wide font directories, which is a risky capability without clear malicious intent. There is no evidence of data exfiltration, malicious execution, persistence, or prompt injection in any of the files.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may download current versions of Python packages, so behavior can depend on the package versions uv resolves.
The documented workflow installs or resolves MoviePy and Pillow through uv without pinned versions. This is expected for a Python video-rendering skill, but users should be aware that package resolution depends on the external package source at run time.
uv run --with moviepy --with pillow scripts/overlay.py
If reproducibility or supply-chain control matters, pin dependency versions or run it in a controlled environment before processing important media.