wayinvideo Security Report — Trusted | ClawSafe

5 /100

wayinvideo

AI video editing and analysis suite with highlight extraction, natural language search, summarization, and transcription via wayinvideo-api.wayin.ai REST API

WayinVideo is a legitimate AI video processing CLI client that wraps the wayinvideo-api.wayin.ai REST API. All network traffic is confined to the declared API endpoint, subprocess is used only for optional system event notifications, and no credential exfiltration or sensitive path access was found.

Skill Namewayinvideo

Duration36.6s

Enginepi

✓

Safe to install

Approve for use. The skill performs standard API client operations with no hidden functionality.

Findings 2 items

Severity	Finding	Location
Low	Undeclared subprocess usage for system events cli.py _send_event() uses subprocess.run to invoke 'openclaw system event' for progress notifications. SKILL.md does not declare this shell execution capability. The call is best-effort (wrapped in try/except) and optional (only fires when event_interval > 0), so the practical risk is negligible. `subprocess.run(['openclaw', 'system', 'event', '--text', text, '--mode', 'now'], check=True, capture_output=True, text=True)` → Document shell:WRITE in SKILL.md metadata or replace with a non-subprocess IPC mechanism if available.	`wayinvideo-cli/wayinvideo/cli.py:40`
Low	Config file path expansion with user-controlled tilde config.py:36 and cli.py:58 handle paths starting with '~' via os.path.expanduser(). This is standard shell behavior and not a path traversal risk since the tilde is literal and validated. `if v.startswith('~'): return os.path.expanduser(v)` → No action needed; this is expected behavior for path resolution.	`wayinvideo-cli/wayinvideo/config.py:36`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	cli.py:116 _save_json writes to ~/.wayinvideo/; cli.py:217 config writes to ~/.w…
Network	`READ`	`READ`	✓ Aligned	client.py:64-165 all urllib requests go to https://wayinvideo-api.wayin.ai; cons…
Shell	`NONE`	`WRITE`	✓ Aligned	cli.py:40-46 _send_event() calls subprocess.run(['openclaw', 'system', 'event', …
Environment	`READ`	`READ`	✓ Aligned	client.py:25 reads WAYIN_API_KEY from os.environ; SKILL.md metadata declares WAY…

6 findings

🔗

Medium External URL 外部 URL

https://wayinvideo-api.wayin.ai/api/v2/clips

wayinvideo-cli/wayinvideo/constants.py:6

🔗

Medium External URL 外部 URL

https://wayinvideo-api.wayin.ai/api/v2/clips/find-moments

wayinvideo-cli/wayinvideo/constants.py:7

🔗

Medium External URL 外部 URL

https://wayinvideo-api.wayin.ai/api/v2/summaries

wayinvideo-cli/wayinvideo/constants.py:8

🔗

Medium External URL 外部 URL

https://wayinvideo-api.wayin.ai/api/v2/transcripts

wayinvideo-cli/wayinvideo/constants.py:9

🔗

Medium External URL 外部 URL

https://wayinvideo-api.wayin.ai/api/v2/clips/export

wayinvideo-cli/wayinvideo/constants.py:10

🔗

Medium External URL 外部 URL

https://wayinvideo-api.wayin.ai/api/v2/upload/single-file

wayinvideo-cli/wayinvideo/constants.py:13

File Tree

19 files · 89.2 KB · 1964 lines

Python 7f · 1538L Markdown 12f · 426L

├─ ▾ 📁 advanced

│ ├─ 📝 learning_from_videos.md Markdown 40L · 3.3 KB

│ └─ 📝 searching_best.md Markdown 35L · 3.2 KB

├─ ▾ 📁 basics

│ ├─ 📝 ai-clipping.md Markdown 29L · 2.9 KB

│ ├─ 📝 export.md Markdown 24L · 2.0 KB

│ ├─ 📝 find-moments.md Markdown 26L · 2.0 KB

│ ├─ 📝 video-summarization.md Markdown 14L · 725 B

│ └─ 📝 video-transcription.md Markdown 14L · 776 B

├─ ▾ 📁 references

│ ├─ 📝 caption_style.md Markdown 30L · 4.3 KB

│ ├─ 📝 platform_duration.md Markdown 8L · 2.0 KB

│ ├─ 📝 platform_ratio.md Markdown 5L · 376 B

│ └─ 📝 supported_languages.md Markdown 100L · 1.2 KB

├─ ▾ 📁 wayinvideo-cli

│ ├─ ▾ 📁 wayinvideo

│ │ ├─ 🐍 __init__.py Python 2L · 96 B

│ │ ├─ 🐍 __main__.py Python 5L · 117 B

│ │ ├─ 🐍 cli.py Python 1035L · 39.5 KB

│ │ ├─ 🐍 client.py Python 165L · 5.9 KB

│ │ ├─ 🐍 config.py Python 128L · 4.2 KB

│ │ └─ 🐍 constants.py Python 189L · 8.4 KB

│ └─ 🐍 setup.py Python 14L · 371 B

└─ 📝 SKILL.md Markdown 101L · 7.8 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`stdlib-only`	`N/A`	Python 3.7+ standard library	No	No pip-installed dependencies; uses urllib.request, json, os, subprocess, argparse, mimetypes, copy, textwrap, datetime, shutil (implicit)

Security Positives

✓ Uses only stdlib (urllib, json, os, subprocess, argparse); no third-party dependency risk

✓ API key read exclusively from environment variable WAYIN_API_KEY, never hardcoded or exfiltrated

✓ All network requests confined to declared domain wayinvideo-api.wayin.ai

✓ No base64, eval, dynamic code execution, or obfuscation

✓ No access to ~/.ssh, ~/.aws, .env, or other credential paths

✓ No reverse shell, C2, or data theft patterns

✓ File writes limited to ~/.wayinvideo/ (config + cache), appropriate for the tool's function

✓ Uploads go directly to a presigned URL, not through the host system

✓ Subprocess call is best-effort and optional (controlled by event_enabled flag)

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives