Video Transcribe - 视频转文字
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is mostly aligned with local video transcription, but first use can automatically install an unpinned Python package from a third-party mirror and modify the user’s Python environment.
Review before installing. If you use it, consider preinstalling Whisper in a virtual environment with pinned versions, ensure ffmpeg is installed, and remember that transcripts and summaries may contain sensitive speech content and will be saved locally.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill may download and install third-party code into the user’s Python environment, which can affect other Python tools or introduce supply-chain risk.
The skill installs an unpinned Python package from a mirror at runtime. Without a pinned version, hash, or reviewed install spec, the code executed during installation can change over time.
"openai-whisper", "-i", "https://pypi.tuna.tsinghua.edu.cn/simple", "--break-system-packages", "--user"
Use an explicit install step, pin openai-whisper and dependency versions, avoid --break-system-packages where possible, and prefer a virtual environment.
A user or agent trying to transcribe a file could trigger package installation and environment changes without a separate confirmation prompt in the script.
Invoking transcription can automatically run the installer if Whisper is missing, rather than only processing the selected media file.
if not check_whisper():
install_whisper() # 自动安装Ask for explicit user confirmation before installing dependencies, or move installation into a declared install spec that users review before first run.
Users may expect no network use at all, while dependency and model downloads can occur on first use.
The privacy claim appears aimed at media not being uploaded, but the same document also says first run installs Whisper and downloads models, so it is not fully offline during setup.
本地运行 - 视频不上传,保护隐私 ... 首次运行时会自动检测并安装 Whisper 引擎 ... 首次运行会下载模型
Clarify that transcription is local after setup, but initial dependency/model installation requires network access.