Skillv1.0.0

ClawScan security

Instagram Reels · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 13, 2026, 3:11 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions align with its stated purpose (downloading public reels, extracting audio, and calling Groq Whisper to transcribe); nothing requested is disproportionate to that goal.
Guidance: This skill appears coherent and does what it says: download public reels (or private ones if you supply cookies), convert audio, and call Groq's transcription API. Before installing/use: 1) Only export and provide browser cookies if you understand the privacy risk — cookies contain session tokens and can grant account access; prefer using public reels when possible. 2) Keep your GROQ_API_KEY secret (set as an env var, rotate if leaked) and confirm Groq billing/limits. 3) Install yt-dlp/ffmpeg from official sources (pip, distro package manager, Homebrew). 4) Clean up temporary files (/tmp/reel.*) after use and consider running this pipeline in an isolated environment if you worry about untrusted media. 5) Verify you have the right to download/transcribe content (terms of service/copyright). If you need the skill to avoid handling cookies or to use a different transcription provider, request a modified version that removes cookie-export guidance and/or supports alternative APIs.

Purpose & Capability: okName/description match the declared binaries and env var. yt-dlp, ffmpeg, python3, and curl are required for downloading, extracting, and converting audio; GROQ_API_KEY is needed to call the Groq transcription API. No unrelated credentials or binaries are requested.
Instruction Scope: noteInstructions stay focused on downloading public media, extracting audio, and calling the Groq transcription endpoint. One notable scope-sensitive point: the doc advises exporting browser cookies and using a 'Get cookies.txt' extension for private reels — that legitimately enables access to private content but also involves handling session cookies (sensitive tokens). The instructions write temporary files to /tmp and call out cleaning them up; they do not attempt to read other unrelated secrets or system paths.
Install Mechanism: okThis is instruction-only (no install spec). The setup suggests installing yt-dlp via pip and ffmpeg via package managers — standard for this workflow. No downloads from arbitrary URLs or archive extraction steps are present.
Credentials: okOnly GROQ_API_KEY is declared and used; that is appropriate for the transcription API. The SKILL.md does not reference additional environment variables beyond the declared key.
Persistence & Privilege: okSkill is instruction-only, not always-included, and requests no persistent system-level privileges. It does not modify other skills' configs or require permanent presence.