ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Youtube Downloader Skimmer

v1.0.0

下载 YouTube 视频并自动剪辑关键片段

0· 24·0 current·0 all-time
byRao Lin@bg1avd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description promise (download + auto-clip + send to QQ/Telegram) mostly aligns with included code, but there are notable mismatches: package.json lists Node-style dependencies (yt-dlp, ffmpeg) while the runtime is Python using the yt_dlp pip package; SKILL.md and README advertise sending to QQ/Telegram but send_to_platform() only prints file paths and does not implement network delivery; chapter detection is advertised as "automatic" but the code uses a hardcoded duration placeholder (900s) and heuristic splitting rather than extracting real chapter metadata. These inconsistencies mean the skill may not perform as described without fixes.
!
Instruction Scope
SKILL.md instructs installing yt-dlp and ffmpeg and running the tool with various flags — that matches the code's intent. However, the instructions promise functionality the runtime does not implement (platform delivery) and refer to automatic chapter extraction even though the Python code does not query actual video metadata for chapters and uses a fixed duration. The instructions do not ask for any unrelated files/credentials or read environment variables, which is good, but their operational promises exceed the implemented scope.
Install Mechanism
No install spec is present (instruction-only), and included code runs as a local Python script; dependencies are expected to be installed via pip and system package manager (ffmpeg). There are no remote download URLs or archive extraction steps. This is a lower install risk, but the package.json (Node-style) is unnecessary and confusing for a Python tool.
Credentials
The skill requests no environment variables, credentials, or sensitive config paths. The runtime uses only command-line args and writes output to a local directory (default /tmp/openclaw/). No evidence of reading secrets or exfiltrating data to hidden endpoints.
Persistence & Privilege
always: false and no code persists itself into agent config or modifies other skills. It writes files to its output directory and can delete the raw download if requested — that is proportional for its purpose.
What to consider before installing
This skill looks like a genuine YouTube download + clip tool but has implementation problems and misleading documentation. Before installing or running it: 1) Do not run on production or sensitive systems — test in a sandbox with limited disk/network access. 2) Expect to install yt-dlp (pip) and system ffmpeg; large downloads will consume bandwidth/disk. 3) The code has bugs you should fix (e.g., wrong variable used when selecting format, use of OUTPUT_DIR/title before they are defined, hardcoded duration instead of reading actual video duration, and send_to_platform() does not implement real delivery). 4) If you need automatic sending to Telegram/QQ, treat that as not implemented until you or the author add secure, credentialed upload logic. 5) Consider reviewing and running the script line-by-line to confirm behavior and add proper error handling, real chapter extraction from yt-dlp info, and any needed credential handling in a secure way.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dhgbm1zbcm90ych09vhkqrx847fmr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments