Skillv1.0.0

ClawScan security

学习类视频转笔记工具 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 10, 2026, 7:30 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it says (audio extraction, split, Whisper transcription, note generation, and notifications) but contains multiple internal inconsistencies and hardcoded paths/behaviors that don't match its stated generic purpose and that increase risk if you run it as-is.
Guidance: This skill performs the advertised steps (ffmpeg, Whisper, produce markdown, send notifications) but has multiple red flags you should address before running it on real data or giving it credentials: 1) It expects QQ Mail credentials and a Feishu webhook but the registry metadata doesn't declare them — confirm which env vars are actually required and why. 2) The note-organizer is hard-coded to OSPF/networking content and ignores the transcriptions, so it may not produce correct notes for unrelated videos. 3) The code contains hard-coded absolute paths (/home/fangjinan/...) and invokes a qqmail script in another skill directory — verify that script's contents and that cross-skill calls are safe. 4) fix_monitor.py will modify monitor_web.py in the workspace — review that file and avoid running code that silently overwrites other files. Recommendations: review the qqmail script and monitor_web.py before use, run the skill in an isolated/sandbox environment, do not set real mailbox auth vars until you've validated the sending logic, and ask the author to remove hard-coded paths, declare required env vars in metadata, and fix the organizer to actually use transcripts (or document that it is OSPF-specific). If you cannot validate these points, treat the skill as untrusted and avoid giving it credentials or running it on sensitive data.

Review Dimensions

Purpose & Capability: concernThe skill claims a generic 'video→notes' workflow, but the organizer logic is hard-coded to produce OSPF/networking notes (organize_content returns OSPF-specific sections) rather than using the transcribed text. The code also embeds references to qwen3.5-plus in outputs without actually showing an LLM integration. Several files and scripts (start_video8.sh, start_monitor.sh) use hard-coded user-specific paths (/home/fangjinan/...), which is disproportionate for a generic tool.
Instruction Scope: concernSKILL.md and the code instruct use of QQ mail and optional Feishu webhook and imply environment variables (QQMAIL_USER, QQMAIL_AUTH_CODE, FEISHU_WEBHOOK), but the skill metadata did not declare required env vars. The code calls an external qqmail script in another skill directory and may post progress to an external webhook — these actions transmit local task metadata (file paths, timestamps) off the machine. fix_monitor.py edits monitor_web.py under the workspace path, which means the skill contains code that modifies other files in the workspace.
Install Mechanism: noteThere is no install spec (lowest install risk), but the bundle includes multiple executable scripts and Python code that will be written to disk when the skill is installed. No third-party downloads or unusual installers are used.
Credentials: concernSKILL.md and code use QQ mail credentials (QQMAIL_USER, QQMAIL_AUTH_CODE) and FEISHU_WEBHOOK, but the registry metadata lists no required env vars. The tool attempts to call a local qqmail script and will default to a placeholder email if QQMAIL_USER is unset, which is sloppy. Requesting mailbox auth for sending notifications is reasonable, but it should be declared explicitly and scoped; here the mapping between claimed purpose and required secrets is inconsistently documented.
Persistence & Privilege: concernalways:false (good), but fix_monitor.py will open and overwrite monitor_web.py in the workspace path — the skill contains code that modifies files on disk in the skills workspace. It also invokes scripts in other skill directories (/home/fangjinan/.openclaw/workspace/skills/qqmail/...), which shows cross-skill filesystem access and potential to affect other skills' behaviors.