ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

video-knowledge-ingest

v1.0.0

Ingest and summarize cross-platform videos into a local knowledge base. Use when working with YouTube, Bilibili, Xiaohongshu, or local media/subtitle files a...

0· 103·0 current·0 all-time
by@exsusiai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and code clearly require external tools (yt-dlp, ffmpeg/ffprobe, summarize/codex, a Whisper venv) and write to a local knowledge root, but the registry metadata lists no required binaries or env vars. The script also embeds user-specific defaults (/home/jason/.openclaw/workspace and /home/jason/.local/bin) which may not be appropriate for other installations. The requested/used capabilities are coherent with the stated purpose, but the metadata omission and hard-coded paths are unexpected and may cause incorrect behavior.
Instruction Scope
SKILL.md stays on task: normalize URL, attempt subtitles, fall back to media download + Whisper, summarize, and persist results. However, it expects the summarization step to run via `summarize --cli codex` (an external service) and instructs persisting transcripts and summaries to a local knowledge base. The instructions do not request secrets but implicitly require codex authentication (not declared) and will send transcript text to that backend when used.
Install Mechanism
There is no install spec (instruction-only), so nothing is downloaded or installed by the platform. All executable behavior is in bundled scripts and Python files included with the skill. No external download/install URLs are used by the skill itself.
!
Credentials
The skill declares no required env vars, but the code assumes specific local resources: a workspace venv at a hard-coded path (e.g. /home/jason/.openclaw/workspace/.venv-whisper-gpu), and resolves fallback binary paths like /home/jason/.local/bin/yt-dlp and /home/jason/.local/bin/summarize. The run() helper also prepends /home/jason/.local/bin and /home/jason/.npm-global/bin to PATH for subprocesses. These assumptions are disproportionate (user-specific paths and PATH tweaks) and may cause unexpected use of local binaries or failure on other systems. The summarize/codex step will transmit transcript data to an external summarization backend if used; that external dependency is not represented in metadata.
Persistence & Privilege
The skill writes persistent artifacts (transcripts, summaries, metadata, downloads, and an append-only index) to a local knowledge-root (default under /home/jason/.openclaw/workspace/knowledge/video-notes). It does not request elevated platform privileges and is not always-enabled. Persisting user content locally is expected for its purpose but the hard-coded default path and the instruction 'do not move them unless asked' are noteworthy for users who expect skill data elsewhere.
What to consider before installing
This skill appears to implement the described video→transcript→summary pipeline, but exercise caution before installing: 1) The package metadata claims no required binaries, yet the code needs yt-dlp, ffmpeg/ffprobe, a Whisper venv, and the `summarize --cli codex` tool — ensure you install and trust those tools first. 2) The code uses hard-coded, user-specific paths (e.g. /home/jason/.openclaw/..., /home/jason/.local/bin) and temporarily prepends them to PATH for subprocesses; update these defaults to match your environment to avoid accidentally using unexpected binaries. 3) Summarization uses an external backend (codex) and will send transcript text to that service if you run it — confirm privacy and authentication expectations. 4) The skill writes persistent transcripts/summaries/index entries to a local KB (default path above); if that data is sensitive, change the KB root before use. 5) Because the skill has executable scripts, review and (if needed) run it in a sandbox or test workspace first. If you want to proceed, update the default paths in the scripts, install the declared tools, and verify codex/summarize authentication separately.

Like a lobster shell, security has layers — review code before you run it.

latestvk97frdngk7r6sv55v77b0th9w98337fh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments