Skillv1.0.0

ClawScan security

Video News Downloader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 22, 2026, 4:30 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it says (download videos, extract subtitles, prepare proofreading tasks, serve files, and set cron jobs) but contains several inconsistencies and privileged behaviors that you should review before installing.
Guidance: This skill is functional but has a few red flags you should consider before using it: - Privileged paths and crontab: The scripts operate under /root/.openclaw/workspace and the cron installer edits the user's crontab. Only run the cron installer if you understand and accept these persistent system changes and you run the agent as the expected user. Inspect any cron lines before installing. - Network exposure: setup_server.sh starts two HTTP servers bound to 0.0.0.0 on ports 8093 and 8095 (no auth). If you run this on a network-accessible host, these servers will expose video files publicly. If you want local-only access, modify the bind address or use firewall rules. - Missing declared dependencies: The code calls yt-dlp and python3 http.server but the skill metadata does not declare required binaries. Ensure yt-dlp is installed and up-to-date before running; test downloads manually first. - DeepSeek is not integrated automatically: subtitle_proofreader.py only generates a proofreading prompt file (it does NOT call an API or send data to an external DeepSeek endpoint). If you expect fully automated AI corrections, you'll need to wire in an API or model runner and consider how API keys/credentials are stored and used. - Run in isolation first: Because the scripts write files in root paths, modify crontab, and open network ports, consider running the skill in a container, VM, or dedicated account with limited privileges. Review and, if needed, modify the scripts to use non-root workspace paths, bind servers to localhost, and preview cron entries before installing. If you want, I can produce a safer checklist or a modified version of the setup scripts to avoid binding to 0.0.0.0 and to use a non-root workspace and explicit dependency checks.

Review Dimensions

Purpose & Capability: concernThe skill's name/description match the code: it downloads CBS/BBC YouTube content, extracts subtitles, prepares AI proofreading prompts, serves video via HTTP, and can set cron jobs. However the package does not declare required binaries (yt-dlp, python3) or the implicit requirement to write to /root/.openclaw/workspace. The use of absolute root paths and crontab manipulation is stronger privilege than the description signals and is not declared in requirements.
Instruction Scope: concernSKILL.md and scripts instruct the agent to run: (1) cron installer that edits the user's crontab, (2) background HTTP servers bound to 0.0.0.0, and (3) yt-dlp downloads. The proofreading script does NOT itself call any DeepSeek API — it only generates prompt files for manual/other-system processing — so claims of automated AI proofreading are misleading. The scripts read/write files under /root/.openclaw/workspace and write logs under /root/.openclaw/workspace/logs; these filesystem and system cron changes are broader in scope than a simple 'download helper' and should be explicitly acknowledged.
Install Mechanism: noteThere is no install spec (instruction-only), which reduces installer risk. But the code depends on external binaries (yt-dlp, Python http.server) and expects a DeepSeek model or manual step; these dependencies are not declared. The lack of an installer means nothing is automatically fetched at install time, but the runtime will invoke external binaries and modify crontab and background processes if you run the provided scripts.
Credentials: concernThe skill declares no required environment variables or credentials, but its behavior implies other requirements: network access to YouTube, filesystem write access to /root/.openclaw/workspace, and permission to modify crontab. It also references a DeepSeek service/model (no API key handling in code), which is inconsistent with the 'AI proofreading' claim. The absence of declared binaries and the use of root paths is disproportionate and may cause surprise or privilege escalation.
Persistence & Privilege: concernWhile always:false, the skill provides scripts to install system cron jobs and to start background HTTP servers (nohup python3 -m http.server bound to 0.0.0.0). Those actions create long-lived system changes (scheduled jobs and open network ports) outside the agent runtime. Installing cron jobs and exposing an unauthenticated file server are persistent privileges that should be performed only after explicit review.