ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Caption Ai Skill

v1.0.2

Video Caption AI is an AI subtitle and video caption tool for creators who want readable, native-feeling text overlays that improve watch time. It helps gene...

0· 102·0 current·0 all-time
bywes@imwyvern
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md claims frame-by-frame rendering using Pillow, precise font handling, and multilingual rendering, yet the skill is instruction-only with no code, no declared dependencies (Pillow, fonts, or ffmpeg), and no install spec. There's no explanation of where rendering runs (local agent, remote service) or how user video files are supplied. The stated upgrade/homepage domains are inconsistent with the package metadata (no homepage listed), which increases uncertainty.
!
Instruction Scope
The instructions are high-level marketing and capability descriptions rather than concrete runtime steps. They do not specify how to accept or process user video files, whether processing is local or sent to an external endpoint, what data is logged or returned, or which tools to run. This vagueness can lead an agent to ask for or transmit video files without clear boundaries.
Install Mechanism
There is no install specification and no code to execute. That lowers the immediate supply-chain risk because nothing will be written to disk or automatically installed by the skill itself.
Credentials
The skill requests no environment variables or credentials, which is proportionate to an instruction-only package. However, because the skill promises external-style capabilities (rendering, multilingual fonts, A/B testing) without describing where they run, it's unclear whether the agent will ask for credentials or an upload at runtime — the absence of declared credentials is notable but not necessarily malicious.
Persistence & Privilege
The skill does not request always:true, has no install spec, and does not modify other skills or system settings. Autonomous invocation remains enabled (platform default), but there is no evidence the skill requests elevated persistence.
What to consider before installing
This package is essentially marketing — it advertises video rendering features but provides no code, install steps, or clear runtime behavior. Before installing or using it: (1) Ask the publisher for the implementation repo or a concrete runtime plan (how videos are processed: locally or uploaded to a service, and where). (2) Verify required dependencies (Pillow, fonts, ffmpeg alternatives) and explicit install instructions. (3) Confirm privacy: if videos would be uploaded to mediaclaw.ai or mediaclawbot.com, get a privacy policy and retention details. (4) Test with non-sensitive sample videos first. (5) If you need local processing, prefer a skill that includes code or clear commands to run locally (so you can review what runs on your machine). Because of the mismatch between claims and contents, treat this skill as untrusted until the publisher provides concrete implementation details.

Like a lobster shell, security has layers — review code before you run it.

latestvk9717bmrxqeafpv71g3a2qrse583w797

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments