Vlog Auto Edit
AdvisoryAudited by VirusTotal on Apr 16, 2026.
Overview
Type: OpenClaw Skill Name: vlog-auto-edit Version: 1.0.1 The skill bundle provides a legitimate workflow for automated video editing but utilizes high-risk capabilities, including automated package installation (pip install) and extensive shell command execution via ffmpeg. Specifically, code examples in SKILL.md utilize subprocess.run(shell=True), which presents a shell injection vulnerability. While these actions are aligned with the stated purpose of video processing, the instructions require classifying risky capabilities (shell/file access) as suspicious even when they are plausibly needed for the task.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Personal video frames may leave your machine and be processed by the chosen vision API provider.
The workflow sends extracted local video frames to an external vision-model API. That is expected for visual analysis, but the frames may contain private people, locations, or documents.
支持 base64 图片输入(本地素材抽帧后编码上传)
Use a trusted provider, review its retention/privacy terms, avoid sensitive footage, and limit uploads to the minimum frames needed.
If pasted into prompts, files, or logs, the API key could be exposed or reused.
The skill expects a provider API key for the vision model. This is purpose-aligned, but the agent may handle a sensitive credential.
API_KEY = 'YOUR_API_KEY' ... 'Authorization': f'Bearer {API_KEY}'Use a scoped/revocable API key, prefer environment variables or a secure secret store, and do not commit or share files containing the key.
Package installation can change the local Python environment and depends on the integrity of package repositories.
The documentation permits the agent to install unpinned Python packages. This is normal for the workflow, but it relies on external package sources.
Python 依赖(Agent 会自动检测和安装): - `openai-whisper` — 语音转录 - `Pillow` — 标题图片生成
Install in a virtual environment, pin versions if possible, and approve package installation before the agent runs it.
The skill will read media files and write generated images/videos in the project output folders.
The helper script runs ffmpeg locally to extract thumbnails/QC frames. This is core to video editing and uses argument arrays rather than shell strings, but it is still local command execution.
cmd = ["ffmpeg", "-y"] + args ... return subprocess.run(cmd, **kw)
Run it only on footage directories you intend to process and review output paths before execution.
Generated analysis files may contain private speech, locations, and scene descriptions even after the original videos are moved.
The workflow stores derived analysis, including visual descriptions and speech transcripts, in local project files for reuse during editing.
`clip_analysis.json` | 3+3.5 | 每条素材的完整分析(画面、语音、音量、预处理建议)
Keep project folders private, avoid syncing them to untrusted cloud locations, and delete analysis/thumbnails when no longer needed.