← Back to Skills Marketplace
465
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install video-proof-skill
Description
Record video proof of implemented features after coding tasks complete. Use when a coding agent finishes work and needs to visually verify and demonstrate th...
Usage Guidance
This skill appears to do what it says: it launches a server (via a start_command you provide), uses Playwright to record screen/screenshot/console logs, and writes proof artifacts. Before running: (1) review scripts/setup.sh because it will install node modules, download Chromium via npx playwright and may prompt for sudo to install ffmpeg — run it in a dev VM or container if you want isolation; (2) carefully review any proof-spec.yaml/start_command the agent will use — the skill will execute that shell command as-is, so do not let an untrusted agent choose a start_command or point it at production services; (3) avoid including secrets or production credentials in environment or repo paths used during recording, and review produced artifacts before committing (screenshots, logs, or API responses can include sensitive data); (4) if you need stricter control, run the scripts manually under an isolated user/container and inspect package.json changes and installed binaries first.
Capability Analysis
Type: OpenClaw Skill
Name: video-proof-skill
Version: 1.0.1
The skill is highly suspicious due to its design allowing arbitrary shell command execution and broad network access. Both `scripts/record-proof.js` and `scripts/api-proof.js` execute user-provided `start_command` values directly via `spawn('sh', ['-c', ...])`, which is a critical Remote Code Execution (RCE) vulnerability. The `SKILL.md` and `references/proof-spec.md` explicitly instruct an AI agent to generate this `start_command` based on its task, creating a direct prompt injection vector for RCE. Additionally, `scripts/setup.sh` uses `sudo` for dependency installation, and `scripts/api-proof.js` can make arbitrary HTTP/HTTPS requests, further increasing the attack surface.
Capability Assessment
Purpose & Capability
The name/description (record video/screenshot proof) match the included scripts (record-proof.js, api-proof.js) and the reference docs. The scripts implement UI walkthrough recording (Playwright) and API request checks, which is exactly what the skill claims to do.
Instruction Scope
SKILL.md and the scripts require you to provide a start_command (any shell command) or point to an already-running server and instruct the agent to produce artifacts and commit them. Allowing arbitrary start_command is necessary for the stated purpose (to start diverse stacks), but it also means the skill will run whatever command the agent or user supplies — verify the start_command and proof-spec before running, and avoid using secrets or production services in a recording run.
Install Mechanism
There is no platform package installer in the registry spec, but the included scripts/setup.sh installs npm packages (playwright, yaml), runs npx playwright install and may attempt to call system package managers (apt-get, brew, dnf, pacman) to install ffmpeg. This is expected for Playwright/video work but is invasive: it modifies (or creates) package.json, downloads node modules and browser artifacts, and may use sudo to install system packages.
Credentials
The skill declares no required env vars or credentials (ok). The scripts spawn the start_command with an env that inherits process.env, and setup.sh runs system package installers — running the skill in an environment with sensitive environment variables or secrets could expose them if the started process or agent-written start_command leaks them. The skill itself does not request unrelated cloud creds or tokens.
Persistence & Privilege
The skill is not forced-always-enabled and does not attempt to modify other skills or system-wide agent settings. It does persist artifacts into a local output directory by design. Autonomous invocation is allowed by default (platform behavior) but not combined with other elevated privileges here.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install video-proof-skill - After installation, invoke the skill by name or use
/video-proof-skill - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
Record video proof of working features with Playwright. Any stack, any start command.
v1.0.0
Record video proof of working features with Playwright. Any stack, any start command. UI + API proof modes.
Metadata
Frequently Asked Questions
What is Video Proof?
Record video proof of implemented features after coding tasks complete. Use when a coding agent finishes work and needs to visually verify and demonstrate th... It is an AI Agent Skill for Claude Code / OpenClaw, with 465 downloads so far.
How do I install Video Proof?
Run "/install video-proof-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Video Proof free?
Yes, Video Proof is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Video Proof support?
Video Proof is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Video Proof?
It is built and maintained by rikisann (@rikisann); the current version is v1.0.1.
More Skills