ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Crypto Alert

v1.0.1

Download YouTube videos and transcribe audio using local Whisper. Use when you need to extract text from YouTube videos that don't have subtitles, or when yo...

0· 93·0 current·0 all-time
byken@dolphins1123
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Registry description (top-level) states 'Download YouTube videos and transcribe audio using local Whisper', but SKILL.md, README.md, and crypto.py implement a crypto price monitoring/alert tool using the Binance API. These two purposes are mutually exclusive; nothing in the code or instructions relates to YouTube, Whisper, or audio transcription. This mismatch indicates either a packaging/metadata error or intentional mislabeling.
Instruction Scope
SKILL.md contains straightforward instructions: pip3 install requests and run python3 crypto.py with coin names or no args. The runtime instructions and script only query Binance public API endpoints and print results; they do not read arbitrary files, access environment variables, or transmit data to unexpected endpoints.
Install Mechanism
No install spec in registry; SKILL.md suggests pip3 install requests. This is low-risk and proportional to the Python script's dependency on the requests library. No downloads from untrusted URLs or archive extraction are present.
Credentials
The skill requests no environment variables, credentials, or config paths. The code uses only public Binance API endpoints (api.binance.com) and does not attempt to access secrets or unrelated services.
Persistence & Privilege
Skill flags are default (always:false, user-invocable:true). The skill does not request elevated persistence or modify other skills/config. Autonomous invocation is allowed by platform defaults but is not combined with other privilege or credential concerns here.
What to consider before installing
Do not install until the metadata mismatch is resolved. The code and SKILL.md implement a crypto price/alert script that calls Binance public APIs and requires only the requests package — that code appears coherent and low-risk. However, the registry description advertising YouTube/Whisper transcription does not match the included files; that could be a benign packaging error or an intentional mislabel. Before installing, ask the publisher to clarify or provide a repository link, verify the intended purpose, and confirm the source. If you still want to run it, review the code yourself (or run in an isolated environment) and only allow network access to the Binance API if appropriate.

Like a lobster shell, security has layers — review code before you run it.

latestvk975sfa6r6af9pf3s5t8cjrm7h83cc20

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments