Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
vsum
v1.0.0视频 summarizer,支持 YouTube 和 Bilibili 视频自动获取字幕并 AI 总结,输出为 md 格式。适用于:用户给出一个视频链接,希望总结内容。
⭐ 3· 600·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (video summarizer for YouTube/Bilibili) aligns with the provided script and instructions: yt-dlp is used to fetch subtitles and then an AI API is used to summarize. However the skill metadata does not declare required tooling (yt-dlp) or the need for an AI API key, which are necessary for normal operation.
Instruction Scope
SKILL.md and scripts instruct use of yt-dlp including the flag --cookies-from-browser chrome for Bilibili, which reads browser session cookies; this is a sensitive operation but is not called out in requires.config or explained/limited. The SKILL.md also instructs agents to ‘send subtitle content to AI’ without specifying destination handling, retention, or how API keys are supplied, granting broad discretion to transmit user data to external providers.
Install Mechanism
Instruction-only skill with a small helper script and no install spec. This minimizes on-disk installs; risk comes from external tools (yt-dlp) and network activity rather than an installer pulling arbitrary code.
Credentials
requires.env lists none, yet the runtime clearly needs: (1) an AI provider API key/credentials to perform summaries, and (2) read access to browser cookies for Bilibili subtitle downloads. Not declaring these is a mismatch — API keys and cookie access are sensitive and should be explicitly required and justified in metadata.
Persistence & Privilege
The skill does not request always:true or modify system/other-skill configs. It runs on-demand and writes subtitle files to the user's Downloads directory, which is reasonable for its purpose but should be made explicit to users.
What to consider before installing
This skill appears to do what it says (download subtitles with yt-dlp and summarize them with an AI), but there are privacy and transparency gaps you should consider before installing:
- You must have yt-dlp installed separately; the skill metadata doesn't state that as a required binary.
- For Bilibili it uses yt-dlp's --cookies-from-browser option, which reads your browser's cookies (session tokens). That can expose sensitive session data; only run this if you trust the environment and understand the cookie access.
- The SKILL.md mentions using external AI providers but does not declare how API keys are provided. Expect to supply an API key/credential to the agent; ensure you use a trusted provider and understand that subtitle text will be transmitted to that provider.
- The helper script writes subtitle files to ~/Downloads; check that location if you are concerned about local storage or accidental disclosure.
- If you need stronger guarantees, ask the author to: (1) add yt-dlp and required API credentials to the skill metadata, (2) document exactly where summaries are sent and how credentials are stored/used, and (3) avoid or clearly warn about reading browser cookies (or provide alternate auth flows).Like a lobster shell, security has layers — review code before you run it.
latestvk97fh8g85br12d8yhwc651hwxs81ea18
License
MIT-0
Free to use, modify, and redistribute. No attribution required.