Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Xiao Hong Shu Video Analyser
v1.0.1下载并分析小红书视频内容。当用户提供小红书链接(xiaohongshu.com)时,自动下载视频、提取语音文字、整理总结内容。Use when user provides a xiaohongshu.com URL and wants video content analysis.
⭐ 2· 346·1 current·1 all-time
byKINO@hviktortsoi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description match the code and instructions: scripts download a Xiaohongshu video, extract audio (ffmpeg/yt-dlp), and send audio to the Poe API (Gemini) for transcription and summarization. There are no unrelated cloud credentials or unexpected services requested.
Instruction Scope
SKILL.md and scripts describe and implement the expected workflow. The shell script and Python downloader operate only on the provided URL/work directory. The agent is instructed to send audio files to api.poe.com for transcription, which matches the stated design. The scripts read ~/.openclaw/openclaw.json as a fallback for POE_API_KEY.
Install Mechanism
No install spec is present (instruction-only with included scripts). No remote download/install of arbitrary code occurs; only local scripts are run. This is low-risk from an install mechanism standpoint.
Credentials
Metadata lists no required env vars, but both SKILL.md and scripts require a POE_API_KEY (or an entry in ~/.openclaw/openclaw.json). This mismatch is a meaningful omission: the skill will attempt to read the API key from your home config file or environment and will send audio data to Poe. The number and type of credentials requested (a single Poe API key) are proportionate to the task, but the omission from metadata is an incoherence that should be fixed/confirmed before use.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It runs transiently and writes outputs to a working directory (default /tmp/xhs-analysis-<ts>), which is expected behavior.
What to consider before installing
This skill appears to implement the stated Xiaohongshu video → audio → Poe/Gemini transcription → summary flow, but double-check these before installing: (1) The published metadata omitted POE_API_KEY even though SKILL.md and the scripts require it — confirm you are comfortable the skill will read $POE_API_KEY or ~/.openclaw/openclaw.json. (2) The skill will upload audio to api.poe.com (a third‑party transcription service) — avoid using it with sensitive or private audio unless you trust the service and key. (3) It depends on ffmpeg (and optionally yt-dlp) being available; yt-dlp is used as a fallback. (4) The downloader scrapes the Xiaohongshu page and writes video/audio/transcripts into a work directory (default /tmp); check and clean that directory if needed. If you plan to use this skill, request the author to update the registry metadata to declare POE_API_KEY as a required environment variable and to document any other runtime requirements. If you don’t trust the source, consider inspecting or running the scripts in an isolated environment or using a throwaway/limited Poe API key.Like a lobster shell, security has layers — review code before you run it.
latestvk97f15ap7gadnyxpykmvn2dswd82kmtx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.