← Back to Skills Marketplace
Qcut Video Edit
by
donghaozhang
· GitHub ↗
· v2026.3.5
405
Downloads
0
Stars
1
Active Installs
3
Versions
Install in OpenClaw
/install qcut-video-edit
Description
Run QCut's native TypeScript pipeline CLI for AI content generation, video analysis, transcription, YAML pipelines, ViMax agentic video production, and proje...
Usage Guidance
What to consider before installing or running this skill:
- The SKILL.md expects you to have and run local developer tools (bun, electron) and the qcut pipeline. The skill metadata does not declare those required binaries — confirm you have the intended QCut application and that these commands are safe in your environment.
- The instructions access local configuration (~/.qcut/.env) and include commands to set and reveal API keys. Never run commands that reveal secrets unless you explicitly trust the environment and understand where output goes.
- The skill suggests reading other agent skill files (e.g., .agents/skills/...), which means it expects access to your agent's filesystem. If you do not want a skill to read other skill files or local configs, avoid running these commands or run them in an isolated environment (VM/container).
- Building and launching (bun run build; bun run electron &) executes code on your machine. Treat that like running any unreviewed program — inspect upstream source or run in an isolated test environment first.
- Ask the publisher for clarifications: a list of explicit required binaries, which local paths will be read/written, and why reading .agents/skills is necessary. Prefer installing only from a trusted homepage/source; this package has 'Source: unknown' and no homepage, which reduces provenance confidence.
- If you need to proceed, run commands manually rather than letting an agent run them autonomously, and avoid using any --reveal or other flags that expose full secret values.
Capability Analysis
Type: OpenClaw Skill
Name: qcut-video-edit
Version: 2026.3.5
The skill bundle is classified as suspicious due to several high-risk capabilities and potential vulnerabilities exposed through its commands. Specifically, the `bun run pipeline get-key --name <name> --reveal` command (documented in `reference-pipelines.md`) allows direct retrieval of sensitive API keys stored locally. Additionally, the 'Notification Bridge' feature (documented in `editor-state-control.md`) enables forwarding of user actions from the QCut application to the Claude PTY session, posing a privacy risk through potential monitoring. Furthermore, commands accepting arbitrary URLs (e.g., `--image-url`, `--url` in `REFERENCE.md`, `editor-media.md`) and HTML content (e.g., `--html` in `editor-output.md`) could lead to SSRF/LFI or XSS vulnerabilities in the underlying QCut application if not properly sanitized. While these are documented features, they represent significant security risks if misused or exploited, indicating a suspicious rather than benign nature, without clear evidence of intentional malicious exfiltration or backdoor installation by the skill itself.
Capability Assessment
Purpose & Capability
The skill claims to run QCut's native TypeScript pipeline and editor HTTP automation (which legitimately requires local binaries like bun, a qcut-pipeline binary, electron, and curl). However the registry metadata lists no required binaries, no required env vars, and no install steps. That is an incoherence: documentation expects tools that are not declared as required.
Instruction Scope
The SKILL.md instructs the agent to run local shell commands (curl to http://127.0.0.1:8765, bun run build, bun run electron, bun run pipeline commands), read/write ~/.qcut/.env, dump project state to disk, and locate other agent files (e.g., .agents/skills/remotion-best-practices/SKILL.md). These actions go beyond simple CLI usage: they can start background processes, read local config and other skill files, and (via pipeline key commands) potentially reveal secret values if a user runs 'get-key --reveal' or similar. The instructions also give broad discretion to import/export files and interact with the editor API — not strictly scoped to a single narrow task.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so there's no installer or external binary being downloaded by the skill package itself. That reduces risk from remote code fetch, but the runtime instructions still direct running local build/execution commands (bun/electron).
Credentials
The docs reference many API keys stored at ~/.qcut/.env (FAL_KEY, GEMINI_API_KEY, OPENAI_API_KEY, etc.) and include commands to set/check/reveal keys, but the skill metadata declares no required environment variables or primary credential. This is a mismatch: the skill expects to manage/inspect local secrets but doesn't declare any credential access. Additionally, commands can expose whether keys are configured and (with --reveal) full values — a potential vector for accidental secret disclosure if used carelessly.
Persistence & Privilege
The skill does not set always:true and has no install mechanism that would embed it persistently. It does instruct launching local processes (bun run electron &), but that is a normal behavior for a CLI controlling a local desktop app and not a privilege escalation of the skill package itself.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install qcut-video-edit - After installation, invoke the skill by name or use
/qcut-video-edit - Provide required inputs per the skill's parameter spec and get structured output
Version History
v2026.3.5
- Added new step to switch to the video edit panel using editor:ui:switch-panel in project/media/timeline discovery instructions.
- Updated step order to clarify UI navigation before media and timeline export.
- No breaking changes to commands or API. Documentation and workflow guidance improved.
v2026.3.4
- Major documentation and structure update with expanded modular references for pipelines, ViMax, media, timeline, and output.
- Added 5 new documentation files: editor-media.md, editor-timeline.md, editor-output.md, reference-pipelines.md, and reference-vimax.md for clearer separation of commands and workflows.
- Enhanced JSON output documentation, including envelope types and progressive 3-level help for improved machine parsing.
- New options and global flags introduced (e.g., --session, --skip-health, --no-capability-check) and documented.
- Clarified project.json agent-readable state export commands and schemas.
- Updated key source file references, listing additional registries and helpers for improved developer navigation.
v2026.3.3
- Major documentation update: new comprehensive SKILL.md covering all aspects of QCut's native CLI usage.
- Added detailed step-by-step instructions for setup, project/media/timeline discovery, and running commands.
- Quick command examples for model listing, video/image generation, analysis, transcription, cost estimation, and ViMax workflows.
- Instructions for API key setup and management, with a list of supported providers.
- Full summary table for global CLI options and key source files for easier navigation and development.
Metadata
Frequently Asked Questions
What is Qcut Video Edit?
Run QCut's native TypeScript pipeline CLI for AI content generation, video analysis, transcription, YAML pipelines, ViMax agentic video production, and proje... It is an AI Agent Skill for Claude Code / OpenClaw, with 405 downloads so far.
How do I install Qcut Video Edit?
Run "/install qcut-video-edit" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Qcut Video Edit free?
Yes, Qcut Video Edit is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Qcut Video Edit support?
Qcut Video Edit is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Qcut Video Edit?
It is built and maintained by donghaozhang (@donghaozhang); the current version is v2026.3.5.
More Skills