video-remix
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its video-editing purpose, but it directs mandatory browser automation through a named Gemini browser profile and under-declares that account/session use.
Review this skill before installing or invoking it. It appears designed for legitimate video remixing, but confirm before letting it use a Gemini browser session, install packages, download/process videos, or start LAN sharing.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may act through a browser session associated with the user and send the YouTube URL/prompt to Gemini without a separate, explicit credential approval step.
The skill instructs the agent to open Gemini using a named browser profile, which may use an existing Google/Gemini session. The supplied metadata declares no primary credential or required credential boundary.
browser(action="start", profile="openclaw") ... browser(action="navigate", url="https://gemini.google.com/")
Declare Gemini/Google account usage in metadata and SKILL.md, require user confirmation before browser-profile use, and document which profile/account is used and what data is sent.
A user who simply provides a YouTube URL may trigger browser automation and third-party processing sooner than expected.
The workflow tells the agent to immediately and mandatorily use browser automation once a URL is provided, reducing user control over an external-service action.
**顺序要求(强制):** ... **必须立即执行阶段 1(片段规划)** ... **触发时机:** 用户提供 YouTube URL 后 **立即执行**
Add an explicit confirmation step before launching Gemini/browser automation, and make the fallback/offline path and stopping conditions clear.
Future installs may pull newer package versions with different behavior or vulnerabilities.
The Python dependencies are version-ranged rather than pinned exactly. They are expected for this media-processing workflow, but the installed code may change over time.
yt-dlp>=2024.0.0 ... faster-whisper>=1.0.0 ... edge-tts>=6.1.0 ... openai>=1.0.0 ... requests>=2.28.0
Install in a virtual environment and prefer pinned, reviewed dependency versions or a lockfile.
Running the setup may install or update software on the machine, including via sudo on Debian/Ubuntu.
The setup instructions install system and Python packages. This is expected for video downloading, TTS, and FFmpeg subtitle rendering, but it changes the local environment.
sudo apt update -y sudo apt install -y ffmpeg yt-dlp libass-dev ... pip3 install edge-tts ... pip3 install yt-dlp
Review the commands first, run them manually where possible, and use an isolated environment for Python packages.
People or devices on the same local network may be able to access the generated video if the share server is exposed broadly.
The skill discloses that generated output may be shared over a LAN HTTP address, but the visible artifact excerpt does not specify authentication or network binding details.
最后通过**局域网 HTTP**分享 ... 输出:output/final_hardsub.mp4、output/full_voiceover.mp3、output/subtitles.srt、HTTP 分享地址
Only enable LAN sharing on trusted networks, document the bind address/port, and provide an easy way to disable sharing.