v1.0.0

Video Analyzer (TikTok + YouTube + Instagram)

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:49 AM.

Analysis

The skill’s main video-analysis purpose is coherent, but it persists transcripts locally despite presenting saving as optional and includes an unsafe shell-style save step for transcript data.

GuidanceReview this skill before installing. It appears designed for local video transcription, but you should be comfortable with local transcript caching, know where the transcripts and staging files are stored, verify the external dependencies/repository, and avoid using the shell-based save workflow until transcript data is passed safely.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

README.md

Transcripts you choose to save go into a local folder on your machine only ... Say yes → it goes into your local library.

The documentation frames transcript persistence as user-chosen, but the included transcription code automatically saves transcripts to the local library during normal processing.

User impactUsers may believe declining the save prompt avoids local retention when the transcript has already been cached.

RecommendationMake the documentation match the implementation, or change the implementation so persistence is genuinely opt-in.

Tool Misuse and Exploitation

SeverityMediumConfidenceMediumStatusConcern

SKILL.md

python3 ~/.openclaw/skills/tiktok-analyzer/save_transcript.py "VIDEO_ID" 'JSON_DATA'

The save workflow tells the agent to put JSON_DATA, which can include arbitrary transcript text from an external video, directly into a shell command without explicit escaping, stdin, or file-based handling guidance.

User impactA transcript containing quotes or shell metacharacters could break the command or lead to unintended command behavior if inserted unsafely.

RecommendationPass transcript JSON through stdin, a temporary file, or a structured argv API, and validate or escape values before invoking shell commands.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

README.md

pip3 install faster-whisper yt-dlp --break-system-packages

gh repo clone holl4ndtv/tiktok-analyzer ~/.openclaw/skills/tiktok-analyzer

The skill relies on external, unpinned packages and a GitHub clone path. This is expected for local video transcription, but users should verify the source and dependencies.

User impactInstalling the skill can modify the local Python environment and pull code/packages from external sources.

RecommendationUse trusted package sources, consider a virtual environment, pin versions where practical, and verify the repository before cloning.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusConcern

transcribe.py

# Save to cache
cache_file = TRANSCRIPTS_DIR / f"{video_id}.json"
with open(cache_file, "w") as f:
    json.dump(result, f)

The transcription command writes every transcript to a persistent local cache as part of normal processing, before the documented post-answer opt-in save prompt.

User impactA transcript may remain in the local video library and be reused later even if the user declines the later save prompt.

RecommendationOnly write transcripts to the persistent library after an explicit user yes, or use a temporary cache with clear retention and deletion behavior.