ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

gnview-script-extraction

v1.0.0

本工具实现本地视频文件的上传与脚本分析,使用大模型支持对视频进行分析,同时支持自定义分析提示词,适配多种抖音/视频数据分析场景。

0· 61·0 current·0 all-time
by@gnview
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description, SKILL.md, and the included Python script all describe uploading an MP4 and calling VolcEngine ARK endpoints to analyze video; the network endpoints used (ark.cn-beijing.volces.com) match that purpose. However, the registry metadata lists no required environment variables or primary credential while SKILL.md and the script require an ARK API key; this metadata omission is an inconsistency.
Instruction Scope
Runtime instructions are narrowly scoped to: (a) open a local MP4 file, (b) POST it as form data to the ARK file upload endpoint, and (c) call the ARK responses endpoint with a JSON body including file_id and prompt. The script does not attempt to read other system files or unrelated environment variables.
Install Mechanism
This is an instruction-only skill with one small Python script and a single dependency (requests). No installer, downloads, or archive extraction are used; risk from install mechanism is low.
!
Credentials
The SKILL.md and script clearly require a VolcEngine ARK API key (ARK_API_KEY). The registry metadata, however, declares no required environment variables or primary credential. Additionally, the documentation instructs passing the API key as a command-line argument, which can leak to process listings or shell history — this is a privacy/credential-handling concern. The number and scope of credentials (single ARK API key) is otherwise proportional to the stated purpose.
Persistence & Privilege
The skill does not request always:true, does not install background components, and does not modify other skills or global agent configuration. It runs only when invoked.
What to consider before installing
What to consider before installing: - The script uploads your local MP4s to VolcEngine ARK (ark.cn-beijing.volces.com). Only install if you are comfortable sending those videos to that third-party service and its privacy policy. - The SKILL.md and script require an ARK API key, but the registry metadata does not declare this — the metadata should be updated. Treat this as a warning sign and prefer skills that declare required credentials explicitly. - The examples pass the API key as a CLI argument. That can expose the key via process listings (ps) or shell history. Prefer using a secure method (environment variable or a protected config file) and avoid pasting secrets on the command line. - Verify the endpoint and owner independently (homepage/source are missing). If you cannot confirm the skill author or the endpoint's legitimacy, avoid uploading sensitive videos. - The code appears straightforward (no obfuscated code) and performs only the described upload/analysis calls, but because the source and registry metadata are incomplete, proceed cautiously. If you need this functionality, ask the author to: (1) declare ARK_API_KEY in the skill metadata, (2) provide a homepage/source link, and (3) update instructions to accept credentials securely (env var or config) rather than as CLI args.

Like a lobster shell, security has layers — review code before you run it.

latestvk973ejn978qej2qqnq7f88rges84m5hk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments