ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

07 Subtitle Gen

v1.0.3

Generate synced SRT subtitles locally from dialogue text and durations without API, ensuring platform-compatible timed captions for videos.

0· 110·1 current·1 all-time
by@ghwyever
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The manifest and SKILL.md claim to generate synced subtitles from an audio input. The included code never fetches or analyzes audio_url, does not compute timings from audio, and simply returns a single static 00:00:00 --> 00:00:03 caption with the dialogue appended. The required input (audio_url) is declared but unused, and no actual subtitle file is created or hosted despite returning a subtitle_url string. This is an implementation mismatch with the stated purpose.
!
Instruction Scope
SKILL.md stays within the narrow scope of local subtitle generation and does not instruct reading unrelated files or contacting external endpoints. However, the runtime instructions and the code disagree: the docs imply real audio processing, but runtime code is a trivial stub. That mismatch is concerning because users (or agents) will expect behavior the skill does not provide.
Install Mechanism
No install spec and no external downloads. The skill is instruction-only with a tiny included Node.js entrypoint; nothing is written to disk or fetched during install. Low install risk.
Credentials
No environment variables, credentials, or config paths are requested. The declared surface is minimal and proportionate to the claimed local operation.
Persistence & Privilege
always is false and the skill does not request persistent system-level privileges or attempt to modify other skills or agent-wide settings. Normal user-invocable behavior.
What to consider before installing
This skill is low-risk from a security perspective (no network calls, no credentials, no install), but it's misleading: it advertises synced subtitle generation from audio yet the code ignores the audio_url and returns a static 3-second SRT fragment. Before installing or using it, consider: 1) Do not rely on this for production — test it with non-sensitive audio to confirm behavior. 2) Ask the author for a correct implementation that actually processes audio and writes/hosts the SRT, or modify the code yourself. 3) Be aware that subtitle_url is just a filename string; the skill does not create or expose a real file or URL. If you need real audio-to-timestamped subtitles, choose a different, well-implemented skill or request additional code that genuinely analyzes audio.

Like a lobster shell, security has layers — review code before you run it.

latestvk9788b6ppg5z6hz7hvaceh63h584k82j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments