ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

audio to text and video to text

v1.0.0

Transcribe audio and video files into text using OpenAI's Whisper API. Use this skill whenever a user wants to convert any audio or video file to text — incl...

0· 94·0 current·0 all-time
by@ahqazi-dev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and SKILL.md match the stated purpose (ffmpeg + OpenAI Whisper transcription, chunking, output formats). However the registry metadata claims no required environment variables or primary credential while SKILL.md and the script clearly require an OpenAI API key (OPENAI_API_KEY). The skill also mentions optional post-processing with 'Claude' (Anthropic) without declaring any Anthropic credentials, which is inconsistent.
Instruction Scope
The runtime instructions stay within transcription scope: checking uploads, verifying ffmpeg, installing Python deps, running the included transcribe.py, splitting large files, and saving outputs to /mnt/user-data/outputs/. These actions are expected for a transcription skill. One concern: instructions explicitly ask the user to provide an OpenAI API key (text starting with 'sk-') which could encourage pasting secrets into chat rather than setting environment variables through a secure platform mechanism.
Install Mechanism
No external download/install spec is included (instruction-only install). The bundled Python script self-installs dependencies via pip if missing. There are no remote downloads or URL-based installers in the manifest. The pip commands use --break-system-packages which can alter system package isolation in some environments; that's notable but common for scripts running in managed sandboxes.
!
Credentials
The script requires an OpenAI API key (OPENAI_API_KEY) and accepts --api-key on the CLI, but the registry metadata lists no required env or primary credential — a direct mismatch. Asking users to paste their secret (it even states the 'sk-' prefix) is risky; the skill does not request other unrelated credentials, so the scope of secrets is proportional but the omission in metadata and guidance to provide keys in-chat are concerning.
Persistence & Privilege
The skill does not request permanent presence (always:false), does not modify other skills or system-wide settings, and contains no code that appears to persist credentials beyond typical environment variable usage. It writes outputs to /mnt/user-data/outputs/, which is appropriate for delivering transcripts.
What to consider before installing
This skill's code looks like a normal Whisper transcription tool, but the registry metadata failed to declare the required OpenAI credential. Before installing: 1) Do NOT paste your OpenAI API key into chat — prefer setting OPENAI_API_KEY via the platform's secure env/secret settings or pass it to the script through the secure installer. 2) Verify the publisher (source is unknown) and prefer skills that declare their required env vars in metadata. 3) Confirm ffmpeg is available in your environment and be aware the script will pip-install deps (it uses --break-system-packages). 4) If you plan to use the optional 'Claude' post-processing, check what credentials (Anthropic) would be needed; the skill does not declare them. 5) If unsure, ask the publisher to correct metadata (add OPENAI_API_KEY as primaryEnv) and to document exactly how to supply secrets securely; avoid pasting keys into chat.

Like a lobster shell, security has layers — review code before you run it.

latestvk9759bmyde36m1kwcdhx6mzbb58345yw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments