Pluginv1.0.0

ClawScan security

clipsight · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 2, 2026, 11:03 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior largely matches its stated purpose (searching and managing videos), but its runtime instructions reference an undeclared bearer token and ask the agent to scan and upload local files in ways that could be surprising — those inconsistencies deserve attention before installing.
Guidance: This skill appears to do what it claims (manage and search videos), but check these before installing: - The SKILL.md expects a bearer token (CLIPSIGHT_MCP_TOKEN) and optionally CLIPSIGHT_MCP_URL even though the registry metadata lists no required env vars—you should only provide that token if you trust clipsight.ai or your chosen MCP server. Treat it like any API secret. - The runtime instructions direct the agent to recursively list files and run curl uploads with absolute paths. That means the agent needs permission to read parts of your filesystem and to execute shell commands. Only grant those capabilities if you trust the skill and the remote service. - Uploads go to presigned S3 URLs returned by the remote MCP server; those are external endpoints. Verify the server domain (default is https://clipsight.ai/mcp) or configure CLIPSIGHT_MCP_URL to a vetted endpoint. - The skill can delete jobs/queries; it correctly instructs to confirm before deletion — treat delete operations as irreversible. If you want to proceed: confirm the source (the GitHub repo), set the CLIPSIGHT_MCP_TOKEN in a safe place (not global/shared), restrict which directories the agent may scan, and avoid running the skill with elevated privileges. If anything is unclear, ask the maintainer to update the plugin metadata to explicitly declare the required env vars and to document the exact filesystem permissions the skill will need.

Review Dimensions

Purpose & Capability: okName/description align with the provided tools and commands: create_job, confirm_upload, search_videos, get_download_urls, delete_job, etc. The skill's documented workflows (list files, create job, upload presigned S3 URLs, confirm, search, download, delete) are coherent with a video-search/manage plugin.
Instruction Scope: concernThe SKILL.md instructs the agent to enumerate local filesystem paths (find across a directory tree), build and execute shell upload scripts, and use absolute file paths for direct uploads. While listing and uploading user videos is expected, these instructions give the agent broad access to scan directories and run shell commands that touch arbitrary local files — this is invasive and should be made explicit to users. The upload workflow involves sending files to presigned S3 URLs returned by the remote service (external endpoints), which is required by design but increases the risk if the remote service or URLs are untrusted.
Install Mechanism: okNo install spec and no code files are executed locally (instruction-only). This minimizes filesystem persistence and install-time risk.
Credentials: concernThe documentation repeatedly references a bearer token (CLIPSIGHT_MCP_TOKEN) and an optional CLIPSIGHT_MCP_URL, and says the plugin will send the bearer token automatically — yet the skill metadata declares no required env vars or primary credential. This mismatch is important: the skill expects a sensitive environment variable (a token) but the registry metadata doesn't advertise it, so users may not realize they'll need to supply a secret. No unrelated credentials are requested, but the undeclared token is a proportionality/visibility problem.
Persistence & Privilege: okThe skill is not marked always:true and has no install-time persistence. It does not request modification of other skills or system-wide settings. A local .claude/settings.local.json entry exists disabling the clipsight MCP server, but that is a local config file and not a privilege escalation.