ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Summarizer(视频摘录+Notion存档)

v1.0.7

将 B 站/YouTube/小红书/抖音视频转换为结构化 Notion 总结文档,自动上传截图,一键推送 Notion

2· 102·0 current·0 all-time
byhaozhenjie@ajayhao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (download video, transcribe, AI summarize, upload screenshots to OSS, push to Notion) aligns with the included scripts. Required binaries (ffmpeg, yt-dlp) and Aliyun OSS + AI API keys are reasonable for the stated tasks.
!
Instruction Scope
Runtime instructions and scripts perform network requests to external services (DashScope API, Siliconflow, various video sites), read/write cookie files (~/.cookies/bilibili_cookies.txt), and load ~/.openclaw/.env. They will transmit video transcripts and metadata to external AI/transcription APIs and upload images to OSS. Those operations are expected for this skill but are privacy-sensitive and broader than simple local summarization.
Install Mechanism
Install steps are standard (brew/apt to get ffmpeg/yt-dlp, pip to install requests/oss2/python-dotenv). No remote arbitrary archive download or obscure URL installs were found in the provided files.
!
Credentials
The declared required env vars (DASHSCOPE_API_KEY and Aliyun OSS keys) make sense, but there is a mismatch: scripts (check-config.sh and SKILL.md) also expect ALIYUN_OSS_ENDPOINT (and other optional keys like NOTION_API_KEY, GROQ_API_KEY, SILICONFLOW_API_KEY) — yet ALIYUN_OSS_ENDPOINT is not listed in the registry required env set. The skill will require and use secrets (Aliyun access key/secret, AI API keys) that grant remote access/storage and will be sent to external services, which is proportional to functionality but sensitive. Bilibili cookie handling writes session tokens to ~/.cookies which are sensitive.
Persistence & Privilege
The skill is not always-enabled. It writes files to user-owned paths (~/.cookies, ~/.openclaw/skills/*, /tmp output) and reads ~/.openclaw/.env; this is expected for a tool that stores credentials and outputs. It does not request elevated system-wide privileges or modify other skills.
What to consider before installing
This skill is largely consistent with its description, but there are a few things to consider before installing: - Secrets and external APIs: The skill requires your DashScope AI API key and your Aliyun OSS access key/secret (and bucket). Using it will send transcripts and screenshots to external services (DashScope, Siliconflow, Aliyun). Only use keys you trust and be aware those services will receive video/audio/text content. - Missing/mismatched env var: The scripts expect ALIYUN_OSS_ENDPOINT (and other optional keys) though ALIYUN_OSS_ENDPOINT isn't listed in the registry's required env list — make sure to set ALIYUN_OSS_ENDPOINT in ~/.openclaw/.env or the check will fail. - Cookies and session data: Bilibili login saves converted cookies to ~/.cookies/bilibili_cookies.txt (contains session tokens). Only perform the login flow on a machine you control and be prepared to rotate session credentials if needed. - Review external endpoints: The skill calls dashscope.aliyuncs.com and other third-party endpoints (e.g., siliconflow.cn), and scrapes video sites. If you do not trust those endpoints, do not provide keys or do not run the skill. - Least privilege & isolation: Create an OSS bucket with limited scope (e.g., dedicated bucket, minimal permissions) and avoid using sensitive workspace keys. Consider running the skill in an isolated environment (container/VM) if you run untrusted videos or credentials. - Verify optional dependencies: The repo uses biliup for Bilibili login and other Python libs; ensure you install only what you need. The SKILL.md/pip instructions mention requests/oss2/python-dotenv but biliup is referenced by scripts — install it intentionally if you need Bilibili subtitle access. - If you need stronger assurance: inspect the remaining omitted files (upload-to-oss.py, video-summarize.sh, transcribe scripts, push-to-notion.py) in full, and run the scripts in a test environment with non-production keys first. If you want, I can: (1) point out exact lines where sensitive network calls happen, (2) list all environment variables the scripts actually read, or (3) produce a minimal safe configuration example (scoped OSS bucket + non-production AI key) for testing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a0m7ythkf1ay3fr84z0mkkh84b4e4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
Binsffmpeg (>=6.1), yt-dlp (>=2026.03.17)
EnvDASHSCOPE_API_KEY, ALIYUN_OSS_AK, ALIYUN_OSS_SK, ALIYUN_OSS_BUCKET_ID

Install

Install ffmpeg and yt-dlp (brew)
Bins: ffmpeg, yt-dlp
brew install ffmpeg yt-dlp

Comments