ai-clipping Security Report — Low Risk | ClawSafe

5 /100

ai-clipping

AI-powered video highlight extraction using WayinVideo API

A legitimate video clipping skill that wraps the WayinVideo API; no credential theft, no suspicious network destinations, and no malicious patterns found.

Skill Nameai-clipping

Duration32.2s

Enginepi

✓

Safe to install

No blocking action needed. The undeclared subprocess call to openclaw for system events is a minor doc-to-code mismatch (+5 pts) but serves a documented framework integration purpose.

Findings 1 items

Severity	Finding	Location
Low	Undeclared subprocess usage polling_results.py uses subprocess.run to invoke the openclaw CLI for system event notifications. This shell:WRITE behavior is not declared in SKILL.md. The subprocess only runs the agent framework's own notification tool with fixed arguments, not arbitrary shell commands. `subprocess.run(['openclaw', 'system', 'event', '--text', text, '--mode', 'now'], check=True, capture_output=True, text=True)` → Add a note in SKILL.md that this skill uses the openclaw CLI for progress notifications when --event-interval is set.	`scripts/polling_results.py:107`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	scripts/upload_video.py:58-60 reads local video files for upload; declared in SK…
Filesystem	`WRITE`	`WRITE`	✓ Aligned	scripts/submit_task.py:67 writes result JSON; scripts/polling_results.py:117 wri…
Network	`READ`	`READ`	✓ Aligned	All scripts communicate exclusively with wayinvideo-api.wayin.ai; declared in SK…
Shell	`NONE`	`WRITE`	✓ Aligned	scripts/polling_results.py:107 calls subprocess.run(['openclaw', 'system', 'even…
Environment	`READ`	`READ`	✓ Aligned	All scripts read WAYIN_API_KEY from os.environ; declared in SKILL.md Step 0

6 findings

🔗

Medium External URL 外部 URL

https://wayin.ai/api-docs/ai-clipping/

SKILL.md:17

🔗

Medium External URL 外部 URL

https://wayin.ai/wayinvideo/api-dashboard

SKILL.md:22

🔗

Medium External URL 外部 URL

https://wayin.ai/wayinvideo/home

SKILL.md:61

🔗

Medium External URL 外部 URL

https://wayinvideo-api.wayin.ai/api/v2/clips/results/

SKILL.md:92

🔗

Medium External URL 外部 URL

https://wayinvideo-api.wayin.ai/api/v2/clips

scripts/polling_results.py:19

🔗

Medium External URL 外部 URL

https://wayinvideo-api.wayin.ai/api/v2/upload/single-file

scripts/upload_video.py:52

File Tree

9 files · 36.8 KB · 705 lines

Python 3f · 464L Markdown 5f · 235L JSON 1f · 6L

├─ ▾ 📁 assets

│ ├─ 📝 caption_style.md Markdown 30L · 4.3 KB

│ ├─ 📝 platform_duration.md Markdown 8L · 2.0 KB

│ ├─ 📝 platform_ratio.md Markdown 5L · 376 B

│ └─ 📝 supported_languages.md Markdown 100L · 1.2 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 polling_results.py Python 191L · 8.3 KB

│ ├─ 🐍 submit_task.py Python 162L · 7.0 KB

│ └─ 🐍 upload_video.py Python 111L · 4.4 KB

├─ 📋 skill.json JSON 6L · 161 B

└─ 📝 SKILL.md Markdown 92L · 9.1 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`stdlib only`	`N/A`	built-in	No	Uses only Python standard library (os, sys, urllib, subprocess, json, datetime, argparse, mimetypes, time, socket)

Security Positives

✓ API key is read from environment only and never exfiltrated or logged

✓ All network traffic is confined to the legitimate wayinvideo-api.wayin.ai endpoints (HTTPS)

✓ No base64, eval(), atob(), or dynamic code execution patterns present

✓ No credential harvesting (SSH, AWS, .env paths) observed

✓ No curl|bash or remote script execution

✓ File reads are limited to explicitly user-provided video file paths

✓ File writes are scoped to a dedicated api_results directory with a structured JSON schema

✓ No hidden HTML comments, steganography, or obfuscated payloads

✓ Dependencies are standard library only (no third-party packages needed)

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives