Video Reader

Tool-driven video question answering with frame extraction, sub-agent analysis, and audio transcription

This skill appears to implement a real video QA system, but there are important mismatches and operational risks you should consider before installing or running it: - Credentials & env vars: The skill bundle and docs mention both local Whisper (faster-whisper) and remote transcription APIs, but videoarm_audio.py currently requires WHISPER_API_KEY (and will call a remote transcription endpoint) unless you run a local whisper server. Do NOT paste your OpenAI/Anthropic/Groq API keys into environment variables for this skill until you confirm whether the skill will use a local model or an external API. Prefer testing first with a non-sensitive account or an isolated environment. - Missing declared requirements: The manifest declares no required binaries or env vars, yet the code needs ffmpeg (required), optionally yt-dlp (for downloads), and Python packages (opencv, faster-whisper). Install and test in a sandbox or VM and run videoarm-doctor to verify dependencies before giving the skill access to important files. - Local file writes & cleanup: The skill creates ~/.videoarm and writes logs and cached videos; its cleaner can delete ~/.openclaw/workspace/tmp — that could remove other OpenClaw workspace files. If you care about other workspace data, avoid running the cleaner with broad flags or inspect the cleaner code first. - Data exposure via sub-agents: The orchestrator spawns sub-agents and writes frame-grid images to workspace tmp for those sub-agents to read. If the video contains sensitive content you do not want shared with remote models, ensure the sub-agent/image tools operate locally and that no remote vision/transcription endpoints are configured. What to do next: 1. Inspect videoarm_audio.py and videoarm_local_whisper to confirm whether transcription runs locally or requires an API key in your deployment. 2. Run videoarm-doctor in a safe environment to see what dependencies are missing. 3. If you must provide API keys, create scoped/test keys and run in an isolated account. 4. If you want to use only local models, confirm the local server path and disable WHISPER_API_KEY/BASE_URL. 5. Consider running the skill inside a disposable container/VM to validate behavior and filesystem changes before using on your regular workstation.

Type: OpenClaw Skill Name: video-reader Version: 4.1.1 The VideoARM skill implements a sophisticated video analysis pipeline that utilizes several high-risk capabilities, including spawning sub-agents via `sessions_spawn` for image analysis and executing shell commands through `subprocess` for video processing with `ffmpeg` and `yt-dlp` (e.g., in `videoarm_cli/videoarm_audio.py` and `videoarm_cli/videoarm_download.py`). Notably, the package includes a local Whisper transcription service (`videoarm_local_whisper/server.py`) and a setup script (`videoarm_local_whisper/setup.py`) that establishes persistence on macOS by installing a `launchd` agent. While these features are plausibly necessary for the stated purpose of tool-driven video QA and are documented, the combination of persistence, local server execution, and broad sub-agent orchestration constitutes a significant security footprint without explicit safeguards against common risks like argument injection or unauthorized persistence.