Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
抖音视频快速转文字
v1.0.0抖音视频快速转文字(优化版)。用户发抖音链接,自动提取文案。 特点:本地 Whisper 转录,无需 API Key,零成本,高隐私。 触发词:抖音、转文字、提取文案、视频转录
⭐ 0· 94·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (local Whisper transcription of Douyin videos) aligns with the code and instructions: it uses douyin-mcp to get a video URL, ffmpeg to extract audio, and local Whisper to transcribe. Minor inconsistency: the SKILL.md pre-requisites list Python, ffmpeg, and openai-whisper but omit the required 'mcporter' tool (used to call douyin-mcp) which is necessary for URL extraction.
Instruction Scope
The SKILL.md and script instruct running shell commands that include user-provided data (share links and extracted video URLs). The Python script constructs shell commands (via subprocess.run with shell=True) embedding these values without escaping or sanitization, which opens the door to command injection if input is malicious or crafted. Aside from that, instructions stay within the transcription purpose and do not attempt to read unrelated system secrets or send outputs to hidden endpoints.
Install Mechanism
No install spec (instruction-only + single helper script) — nothing is downloaded or written automatically by an installer. Dependencies are managed manually (ffmpeg, whisper, mcporter). This is lower risk from an install-source perspective, but the README omission of mcporter is an operational gap.
Credentials
The skill declares no credentials or environment variables and does not request unrelated secrets. It writes transcripts into a directory under the user's home (~/.openclaw/workspace/douyin-transcripts), which is reasonable for this function but worth noting as persisted data on disk.
Persistence & Privilege
The skill is not marked 'always:true' and uses normal autonomous invocation defaults. It does not attempt to modify other skill configurations or require elevated privileges.
What to consider before installing
This skill appears to do what it claims (local Whisper transcription), but proceed with caution. Key points:
- The script calls 'mcporter' (douyin-mcp) to parse Douyin links but the SKILL.md didn't list mcporter as a required tool — make sure you install and trust mcporter before use.
- The script builds shell commands with user-supplied values (share links and extracted URLs) and runs them with shell=True. That is a real command-injection risk if you or others pass crafted inputs. Prefer running it only on trusted inputs or run the script in an isolated environment (container/VM) until the code is patched to use subprocess with argument lists (no shell) and proper input validation/escaping.
- Transcripts are saved under ~/.openclaw/workspace/douyin-transcripts; confirm you are comfortable with this persistent storage location.
- If you plan to run this on a multi-user or server environment, review and harden the script (remove shell=True, validate/sanitize inputs, and explicitly require mcporter in documentation) before enabling autonomous invocation.
If you want, I can suggest a small patch to the script that removes shell=True and safely constructs subprocess calls, and I can point out exactly where to add mcporter as a documented dependency.Like a lobster shell, security has layers — review code before you run it.
latestvk9746wt8vczgckh734bxpy5nb183k51q
License
MIT-0
Free to use, modify, and redistribute. No attribution required.