Trust Assessment
clipit received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 29 findings: 8 critical, 13 high, 7 medium, and 1 low severity. Key findings include Unsafe environment variable passthrough, Arbitrary command execution, Credential harvesting.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings29
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/akdeepankar/clip-it/clip.py:20 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/akdeepankar/clip-it/clip.py:218 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/akdeepankar/clip-it/clip.py:256 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/akdeepankar/clip-it/clip.py:273 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/akdeepankar/clip-it/clip.py:403 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/akdeepankar/clip-it/clip.py:459 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/akdeepankar/clip-it/clip.py:29 | |
| CRITICAL | Misleading Privacy Claim Leads to Sensitive Data Exfiltration The `SKILL.md` explicitly instructs the LLM to process sensitive user information (e.g., "credit card number") and falsely assures the user that "privacy is preserved" because "The tool is running locally on the user's machine". However, the `clip.py` script, which is the core of this skill, sends audio/transcript data to ElevenLabs (for transcription) and OpenAI (for segment finding). This means sensitive user data, including potentially credit card numbers or other PII, will be exfiltrated to third-party cloud services, directly contradicting the privacy claim and posing a severe data breach risk. Remove the misleading privacy claim. Clearly state that data is sent to ElevenLabs and OpenAI for processing. Implement explicit user consent mechanisms before processing sensitive data. Consider using local-only transcription/LLM models for sensitive data to truly preserve privacy. | LLM | SKILL.md:20 | |
| HIGH | Unsafe environment variable passthrough Access to well-known credential environment variables Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/akdeepankar/clip-it/clip.py:29 | |
| HIGH | Dangerous call: subprocess.check_call() Call to 'subprocess.check_call()' detected in function '<module>'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/akdeepankar/clip-it/clip.py:20 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'extract_audio'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/akdeepankar/clip-it/clip.py:218 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'cut_media'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/akdeepankar/clip-it/clip.py:256 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'replace_audio_in_video'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/akdeepankar/clip-it/clip.py:459 | |
| HIGH | Dangerous call: subprocess.check_call() Call to 'subprocess.check_call()' detected in function 'download_youtube_video'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/akdeepankar/clip-it/clip.py:273 | |
| HIGH | Dangerous call: subprocess.check_call() Call to 'subprocess.check_call()' detected in function 'isolate_audio'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/akdeepankar/clip-it/clip.py:403 | |
| HIGH | Potential data exfiltration: file read + network send Function 'transcribe_audio' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/akdeepankar/clip-it/clip.py:54 | |
| HIGH | Potential data exfiltration: file read + network send Function 'download_file' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/akdeepankar/clip-it/clip.py:185 | |
| HIGH | Potential data exfiltration: file read + network send Function 'dub_media' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/akdeepankar/clip-it/clip.py:385 | |
| HIGH | Potential data exfiltration: file read + network send Function 'isolate_audio' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/akdeepankar/clip-it/clip.py:432 | |
| HIGH | Potential data exfiltration: file read + network send Function 'create_job' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/akdeepankar/clip-it/clip.py:318 | |
| HIGH | User Input Directly Interpolated into Shell Command String The `SKILL.md` instructs the LLM to construct a shell command string by directly interpolating user-provided `INPUT` and `QUERY` values into the base command: `/Users/akdeepankar/clawd/skills/clipit/bin/clipper --input "{INPUT}" --query "{QUERY}"`. If the LLM executes this constructed string using a shell (e.g., `subprocess.run(..., shell=True)`), a malicious user could inject arbitrary shell commands (e.g., `"; rm -rf /"` into `QUERY`) leading to remote code execution on the host machine. Although the `clip.py` script uses `argparse` internally, this protection is bypassed if the LLM constructs and executes the command as a single shell string. Instruct the LLM to pass arguments as a list of strings to the executable (e.g., `["/path/to/clipper", "--input", user_input, "--query", user_query]`) rather than constructing a single shell command string. This prevents shell interpretation of user input. | LLM | SKILL.md:50 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/akdeepankar/clip-it/clip.py:12 | |
| MEDIUM | Unpinned Python dependency version Requirement 'elevenlabs>=1.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/akdeepankar/clip-it/requirements.txt:1 | |
| MEDIUM | Unpinned Python dependency version Requirement 'openai>=1.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/akdeepankar/clip-it/requirements.txt:2 | |
| MEDIUM | Unpinned Python dependency version Requirement 'requests' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/akdeepankar/clip-it/requirements.txt:3 | |
| MEDIUM | Unpinned Python dependency version Requirement 'yt-dlp' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/akdeepankar/clip-it/requirements.txt:4 | |
| MEDIUM | Broad Access to System Binaries, Filesystem, and API Keys The skill requires access to powerful system binaries (`ffmpeg`, `yt-dlp`), can process arbitrary local files specified by the user, and has access to sensitive API keys (`ELEVENLABS_API_KEY`, `OPENAI_API_KEY`). This combination grants the skill a wide range of capabilities, including reading/writing files, network access, and executing external programs. While necessary for its functionality, this broad access, especially when combined with the command injection vulnerability, significantly increases the potential impact of a successful exploit. Implement strict input validation and sanitization for all user-provided file paths and URLs. Consider sandboxing the execution environment for skills that require such broad access to mitigate the impact of potential exploits. Review if all required binaries and environment variables are strictly necessary for every operation. | LLM | Manifest | |
| MEDIUM | Dynamic Dependency Installation at Runtime The `clip.py` script attempts to install the `openai` package at runtime if it's not found (`subprocess.check_call([sys.executable, "-m", "pip", "install", "openai", "-q"])`). While this might seem convenient, it introduces several risks:
1. **Non-deterministic environment**: The version installed might differ across executions.
2. **Security risk**: If the PyPI index is compromised or a typosquatted package named `openai` is published, the skill could inadvertently install malicious code.
3. **Performance overhead**: Unnecessary installation attempts. Ensure all required dependencies are listed in `requirements.txt` and installed as part of the skill's setup process, not dynamically at runtime. Remove the `subprocess.check_call` for `pip install` from the main script logic. | LLM | clip.py:12 | |
| LOW | Dependencies Not Pinned to Exact Versions The `requirements.txt` file specifies dependencies using minimum versions (e.g., `elevenlabs>=1.0.0`, `openai>=1.0.0`) rather than exact versions (`==`). This practice can lead to non-deterministic builds, where new, potentially incompatible, or vulnerable versions of libraries are installed without explicit review. While less critical than typosquatting, it introduces a supply chain risk as future updates to these libraries could introduce security flaws or breaking changes. Pin all dependencies to exact versions (e.g., `elevenlabs==1.0.0`). Use a lock file (e.g., `pip freeze > requirements.lock`) to ensure reproducible installations. Regularly review and update pinned dependencies. | LLM | requirements.txt:1 |
Scan History
Embed Code
[](https://skillshield.io/report/d688f0eb94cd0aac)
Powered by SkillShield