Skills video-enhancement Audit History
🎬

Audit History

video-enhancement - 4 audits

Audit version 4

Latest Medium Risk

Jun 8, 2026, 11:57 AM

This skill is a legitimate video enhancement tool that wraps the verging.ai API. Static analysis flagged shell commands (ffmpeg, curl, yt-dlp), env var access (VERGING_API_KEY), network calls to verging.ai, and temp directory usage. After evaluation, all findings are false positives: the shell commands are standard video processing tool invocations documented for instructional purposes, the API key access follows best practices (env var only), and network calls are to the documented verging.ai API. The combination heuristic is expected for a skill that processes media files via a cloud API. No malicious intent detected.

2
Files scanned
215
Lines analyzed
8
findings
claude
Audited by
Medium Risk Issues (2)
SKILL.md:87-89SKILL.md:117SKILL.md:121
Shell command execution via ffmpeg, curl, and yt-dlp
The skill instructs execution of shell commands including ffmpeg for video trimming, curl for API calls, and yt-dlp for video downloads. These are standard media processing tools invoked with documented parameters. While the execution pattern triggers static analysis, the commands are purposeful and scoped to the video enhancement workflow.
SKILL.md:12SKILL.md:18SKILL.md:147
API key handling via environment variable
The skill accesses VERGING_API_KEY environment variable for authentication with the verging.ai API. This is the recommended secure pattern for credential management. The key is never hardcoded; users set it via export. Privacy section explicitly warns against exposing it in public repos.
Low Risk Issues (2)
SKILL.md:49SKILL.md:61-62SKILL.md:69SKILL.md:95
Network requests to verging.ai API endpoints
The skill makes HTTP requests to verging.ai/api/v1/* endpoints for authentication, video upload, job creation, and status polling. All requests are to the documented API of the service the skill is designed to interface with. No requests to suspicious or external third-party domains.
SKILL.md:87SKILL.md:135
Temp directory usage for video processing
The skill uses /tmp/verging-video-enhancement/ as a working directory for trimmed video files. This is a standard ephemeral location for media processing. The skill notes temp files are cleaned up after use.

Risk Factors

⚙️ External commands (10)
SKILL.md:27-29 SKILL.md:45-47 SKILL.md:60-63 SKILL.md:67-73 SKILL.md:86-90 SKILL.md:93-102 SKILL.md:106-110 SKILL.md:117-122 SKILL.md:130-135 README.md:7-9
🌐 Network access (8)
SKILL.md:49 SKILL.md:52 SKILL.md:61-62 SKILL.md:69 SKILL.md:95 SKILL.md:107-108 README.md:13 README.md:62-63
🔑 Env variables (8)
SKILL.md:12 SKILL.md:18 SKILL.md:39 SKILL.md:61 SKILL.md:70 SKILL.md:96 SKILL.md:107 SKILL.md:147
📁 Filesystem access (4)
SKILL.md:87 SKILL.md:117 SKILL.md:121 SKILL.md:135

Audit version 3

Low Risk

Jun 8, 2026, 11:50 AM

Evaluation of 76 static findings found all critical and high severity items to be false positives in legitimate context. The skill is a video enhancement API client that invokes standard tools (yt-dlp, ffmpeg, curl) and makes API calls to verging.ai. The 'dangerous combination' heuristic triggered on the standard pattern of shell commands + network + API key, but no malicious intent was found. No prompt injection or obfuscation detected. The 'weak crypto' finding is a false positive triggered by API key format strings, not cryptographic implementation.

2
Files scanned
215
Lines analyzed
8
findings
claude
Audited by
Low Risk Issues (4)
SKILL.md:27-29
External commands used for video processing
The skill invokes yt-dlp, ffmpeg, ffprobe, and curl as documented shell commands. These are standard video processing tools, and usage is explicitly documented. No injection risk since commands use fixed tool names with parameterized arguments.
SKILL.md:49
Network access to verging.ai API endpoints
All network access is to verging.ai API endpoints (auth, upload, job management). This is expected for a SaaS API client skill. No requests to unknown or suspicious domains.
SKILL.md:12
API key read from environment variable
VERGING_API_KEY is read from environment, which is the recommended secure pattern for API key management. Key is passed via Authorization header to the API.
SKILL.md:135
Temporary directory usage
Temp files stored in /tmp/verging-video-enhancement/ for intermediate video processing. Standard pattern for media processing. Documentation notes files are cleaned up after use.

Risk Factors

⚙️ External commands (6)
README.md:7-9 README.md:23-25 SKILL.md:27-29 SKILL.md:47-53 SKILL.md:60-73 SKILL.md:117-122
🌐 Network access (6)
README.md:13 README.md:62-63 SKILL.md:49-55 SKILL.md:62 SKILL.md:95 SKILL.md:108
🔑 Env variables (6)
README.md:18 SKILL.md:12 SKILL.md:18 SKILL.md:39 SKILL.md:61 SKILL.md:147
📁 Filesystem access (4)
SKILL.md:87 SKILL.md:117 SKILL.md:121 SKILL.md:135

Audit version 2

Low Risk

Mar 18, 2026, 06:58 AM

This is a legitimate video enhancement skill that integrates with the verging.ai API service. Static analysis flagged 82 patterns, but most are false positives: hardcoded URLs are documented public API endpoints, API key references are for user-provided authentication (not secret exfiltration), and shell commands in documentation are usage examples for ffmpeg/yt-dlp/curl. The skill requires network access for API calls, environment variable for user API key, external tools for video processing, and temp directory for file handling. These are expected behaviors for a video processing tool. Risk level is LOW due to external service dependency and third-party API usage.

4
Files scanned
355
Lines analyzed
8
findings
claude
Audited by
Low Risk Issues (4)
SKILL.md:58SKILL.md:64-67
External API Dependency
Skill depends on third-party verging.ai API service for video enhancement processing. All video processing occurs on external servers.
SKILL.md:12SKILL.md:284openclaw.json:13
User API Key Required
Skill requires users to provide their own verging.ai API key via environment variable. Users must trust the third-party service with their credentials.
SKILL.md:142-144SKILL.md:172
External Tool Dependencies
Skill requires external binaries (yt-dlp, ffmpeg, ffprobe, curl) for video download and processing. These tools must be installed on the user's system.
SKILL.md:166SKILL.md:268
Remote Video Download
Skill can download videos from remote URLs including YouTube and Bilibili. Users should ensure they have rights to process downloaded content.

Risk Factors

🌐 Network access (10)
SKILL.md:58 SKILL.md:95-96 SKILL.md:102 SKILL.md:114 SKILL.md:117 SKILL.md:123 SKILL.md:126 SKILL.md:130 openclaw.json:14 openclaw.json:19
🔑 Env variables (11)
SKILL.md:12 SKILL.md:49 SKILL.md:74 SKILL.md:95 SKILL.md:99 SKILL.md:117 SKILL.md:126 SKILL.md:130 SKILL.md:135 SKILL.md:284 openclaw.json:13
⚙️ External commands (6)
SKILL.md:142-144 SKILL.md:155 SKILL.md:166 SKILL.md:172 SKILL.md:177-183 SKILL.md:214
📁 Filesystem access (2)
SKILL.md:169 SKILL.md:289

Audit version 1

Safe

Mar 17, 2026, 04:15 PM

All static analysis findings are false positives representing legitimate functionality for a video processing tool. Network requests are made to documented verging.ai API endpoints. External commands (ffmpeg, ffprobe, curl, yt-dlp) are standard video processing tools with hardcoded arguments. Environment variables store API keys as documented. No prompt injection attempts or malicious patterns detected.

4
Files scanned
349
Lines analyzed
8
findings
claude
Audited by
Low Risk Issues (4)
SKILL.md:166SKILL.md:172SKILL.md:176
External Command Execution
Skill uses ffmpeg, ffprobe, curl, and yt-dlp commands for video processing. All commands shown in documentation use hardcoded arguments with no user input injection. This is legitimate video processing tooling.
SKILL.md:88SKILL.md:96SKILL.md:102
Network Requests to External API
Skill makes HTTP requests to verging.ai API endpoints for video processing services. All URLs are hardcoded to legitimate service endpoints documented in the skill README.
openclaw.json:13SKILL.md:57
API Key in Environment Variable
Skill reads VERGING_API_KEY environment variable for authentication with verging.ai API. This is the standard, secure pattern for API credential management.
SKILL.md:163SKILL.md:283
Temporary File System Access
Skill uses /tmp/verging-video-enhancement/ directory for temporary video storage during processing. This is standard behavior for video processing workflows.

Risk Factors

🌐 Network access (17)
openclaw.json:14 openclaw.json:19 README.md:14 SKILL.md:58 SKILL.md:88 SKILL.md:96 SKILL.md:102 SKILL.md:107 SKILL.md:108 SKILL.md:114 SKILL.md:118 SKILL.md:123 SKILL.md:127 SKILL.md:131 SKILL.md:242 SKILL.md:260 SKILL.md:271
🔑 Env variables (15)
openclaw.json:13 README.md:16 SKILL.md:12 SKILL.md:18 SKILL.md:49 SKILL.md:57 SKILL.md:74 SKILL.md:95 SKILL.md:99 SKILL.md:117 SKILL.md:126 SKILL.md:130 SKILL.md:135 SKILL.md:259 SKILL.md:278
⚙️ External commands (21)
SKILL.md:37-39 SKILL.md:71-73 SKILL.md:73-75 SKILL.md:75-80 SKILL.md:80-86 SKILL.md:86-93 SKILL.md:93-132 SKILL.md:162-171 SKILL.md:171-173 SKILL.md:173-175 SKILL.md:175-177 SKILL.md:177-188 SKILL.md:188 SKILL.md:188-191 SKILL.md:191-194 SKILL.md:194-195 SKILL.md:195-196 SKILL.md:196-197 SKILL.md:197-198 SKILL.md:198-199 SKILL.md:199-202
📁 Filesystem access (2)
SKILL.md:163 SKILL.md:283
← Back to Skill