Video Analyzer (TikTok + YouTube + Instagram)
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its video-transcription purpose, but it stores transcripts automatically despite presenting saving as optional, and its save command handles transcript text unsafely.
Review before installing. The core local transcription behavior is plausible, but expect video audio/transcripts to be written under the skill directory, and be aware that transcripts are cached automatically. Prefer an updated version that makes saving truly opt-in, uses safer transcript-saving mechanics, and pins or declares its dependencies.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A transcript may remain on disk and be reused later even if the user believes saving is optional or says no to the save prompt.
The transcription path persistently saves the result into the transcripts directory automatically, before the separate opt-in save prompt described in the skill workflow.
# Save to cache
cache_file = TRANSCRIPTS_DIR / f"{video_id}.json"
with open(cache_file, "w") as f:
json.dump(result, f)Make transcript retention truly opt-in, separate temporary cache from the saved library, clearly disclose what is retained, and provide an easy delete or disable-cache option.
Users may trust that transcripts are not stored unless they opt in, while the skill actually keeps local transcript files by default.
This tells users transcript storage is based on their choice, but the included transcribe.py code automatically writes transcript cache files for new transcriptions.
Transcripts you choose to save go into a local folder on your machine only
Align the privacy statement with the implementation, or change the implementation so transcripts are only stored after explicit consent.
A crafted or unusual transcript could cause the save command to fail or, depending on execution semantics, lead to unintended local shell command execution.
The command pattern places JSON_DATA, which can include arbitrary transcript text from external media, directly inside a shell-quoted argument. Apostrophes or shell metacharacters in the transcript could break quoting or be interpreted unsafely if interpolated.
python3 ~/.openclaw/skills/tiktok-analyzer/save_transcript.py "VIDEO_ID" 'JSON_DATA'
Do not pass raw transcript JSON through a shell string. Use stdin, a temporary file, base64 encoding with validation, or an argv-safe tool interface that does not require shell interpolation.
Installing the skill may modify the local Python/system environment and pull whatever current versions of those dependencies are available.
The setup relies on external, unpinned packages and system/package-manager changes, while the registry metadata declares no required binaries or environment requirements.
brew install ffmpeg pip3 install faster-whisper yt-dlp --break-system-packages
Declare required binaries/packages in metadata, pin or constrain dependency versions, avoid --break-system-packages where possible, and document the first-run model download source.