ClawHub

TL;DX

v1.0.1

Extract, transcribe, clean, segment, and analyze long-form content from URLs, local media files, existing transcripts, and pasted text. Use when a user provi...

1· 90·1 current·1 all-time
byJiale Cheng@chengjl19
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill is a long-form summarization/transcription tool and includes scripts to provision ffmpeg, a local whisper.cpp binary, and ggml models, which are appropriate and expected for local ASR/transcription workflows.
Instruction Scope
SKILL.md instructs the agent to acquire content from URLs, local files, subtitles, or pasted text and to inspect pages (rendered text, network requests, page scripts) when needed. This is within the described purpose, but the guidance to 'inspect network requests' and to read an environment 'stable memory file' (if available) expands what the agent may touch. No instructions ask for unrelated secrets or odd exfiltration, but the agent will fetch remote pages and may access local workspace files.
Install Mechanism
There is no registry install spec, but included scripts will: attempt to find or install ffmpeg via package managers (brew/apt/dnf/yum/pacman), clone and build whisper.cpp from GitHub with git/cmake, and download ggml model binaries from Hugging Face. These are expected for a local ASR runtime but entail network downloads, large files, and possible privilege escalation (sudo) to install system packages.
Credentials
The skill declares no required credentials or env vars. Scripts do honor optional environment variables for runtime size thresholds (CONTENT_INSIGHT_RUNTIME_WARN_MB, CONTENT_INSIGHT_RUNTIME_CLEAN_MB) and may use sudo when provisioning system packages; no unrelated tokens or secrets are requested.
Persistence & Privilege
always:false and user-invocable:true. The skill creates its own runtime/ and output/ directories and contains maintenance/cleanup scripts that operate only on its runtime area; it does not modify other skills or request permanent platform-level privileges.
Scan Findings in Context
[git_clone_github_whisper_cpp] expected: ensure_whisper_cpp.sh clones https://github.com/ggml-org/whisper.cpp and attempts to build whisper-cli; cloning and building is expected for provisioning a local ASR binary.
[curl_download_huggingface_model] expected: ensure_whisper_model.sh downloads ggml-<model>.bin from huggingface.co/ggerganov/whisper.cpp; large model downloads are normal for local ASR but will use significant bandwidth and disk.
[package_manager_install_ffmpeg] expected: ensure_ffmpeg.sh will try brew/apt-get/dnf/yum/pacman and may run commands with sudo; this is expected to provision ffmpeg for media extraction but will attempt system package installation.
[uses_sudo_or_root_install] expected: Scripts include run_with_optional_sudo to run installs as root if needed; this may prompt for elevated privileges on the host.
Assessment
This skill appears to be what it says: a local transcription + summarization workflow. Before installing/using it, consider the following: - Disk and bandwidth: the skill will download large ggml model files (tens to hundreds of MBs to multiple GBs depending on model) into runtime/models and may build binaries from source; ensure you have sufficient disk space and bandwidth. - Privileges: the scripts may attempt to install ffmpeg via system package managers and will use sudo when available; be prepared for prompts and only allow if you trust running package installs on the host. - Network access: the runtime will fetch code from GitHub and models from Hugging Face and will fetch remote content (web pages, captions) during normal operation; expect outbound network connections. - Local files: the model provisioning script will also look for local model files (e.g., in ~/.cache or parent directories) and copy them into runtime/models—this is intended convenience but means local model files may be read and copied. - Audit the scripts: because this is an instruction-only skill with bundled scripts that create and execute binaries, review the included shell scripts before use or run them inside an isolated environment (container or VM) if you have concerns. - Origin: the registry entry lacks a homepage and the source is unknown; if provenance matters, request or obtain a trusted upstream/source before wide deployment. If you accept the above (large downloads, possible sudo installs, and network access), the skill's behavior is coherent with its stated purpose. If you do not want local installs or large model downloads, ask for a version that uses a cloud ASR service or a smaller offline-only configuration.

Like a lobster shell, security has layers — review code before you run it.

latestvk978y9rje2z9skd68thjsts0es83c2aq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments