Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Youtube Transcriber Skill
v1.0.0自动转录 YouTube 视频,生成带时间戳的文字稿
⭐ 0· 56·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the code and docs: the package uses yt-dlp to download audio and faster-whisper to transcribe. Required packages and entrypoints (transcribe.py, bin/transcribe.js) align with the stated purpose; no unrelated credentials or binaries are requested.
Instruction Scope
SKILL.md and the included scripts instruct the agent/user to download audio via yt-dlp and run local transcription. The runtime instructions reference only the YouTube URL, language option, and local commands; they do not read unrelated system files or request secrets.
Install Mechanism
There is no high-risk remote installer; installation is via pip install -r requirements.txt (install.sh). This is expected for a Python tool but will install packages system-wide unless run in a virtual environment. The transcription model (faster-whisper/WhisperModel) will likely download model weights from external model hosts at runtime, which implies large network and disk usage — expected but worth noting.
Credentials
The skill declares no required environment variables or credentials and the code does not access secrets. README mentions optional proxy env vars for network connectivity, which is reasonable and optional.
Persistence & Privilege
The skill is user-invocable and not forced always-on. The included openclaw/install metadata indicates an auto-install script (install.sh) will run when installing, which is normal for installing dependencies but does not modify other skills or system configurations beyond pip installs.
Assessment
This package appears coherent and implements local transcription: it downloads audio with yt-dlp and runs faster-whisper locally. Before installing, consider: (1) run install.sh or pip inside a virtualenv to avoid system-wide installs; (2) model weights will likely be downloaded at first run (large bandwidth and disk usage); (3) yt-dlp downloads YouTube content — ensure you have the right to download the videos you process; (4) faster-whisper may require sufficient RAM/CPU or GPU and ffmpeg might be needed for some formats. If you want extra safety, inspect/run the code in an isolated environment (container or VM) first.bin/transcribe.js:27
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97fkvq1ceepvrgt8rv6d6a89184fewc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.