Skillv1.0.0

ClawScan security

Video Understanding · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 24, 2026, 1:16 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent for video metadata extraction and summarization: it references appropriate video APIs and optional tools (yt-dlp) and does not request unrelated credentials or persistent privileges.
Guidance: This skill appears to do what it says: fetch video metadata and summarize content. Things to consider before installing or using it: - If you want full transcription/speech-to-text, the skill suggests downloading audio/subtitles and using extra tools (e.g., yt-dlp plus an STT service). Installing yt-dlp (pip) or using an external STT service can download/process user content and may send it to third-party servers — only proceed if you trust those tools/services. - The YouTube Data API example needs an API_KEY; only provide API keys you trust and limit their scope. The skill itself does not request any credentials, but you may be prompted to supply them if you want API-based metadata rather than simple web scraping. - Downloading videos can touch copyrighted or private material. Ensure you have permission before downloading or transcribing content. - If you require stricter safety, ask for an explicit statement of where transcriptions or downloaded media will be sent (local-only processing vs. remote transcription API) and whether the agent will persist files on disk. Overall this skill is coherent and proportional to its purpose, but be mindful of optional external installs and transcription service choices.

Review Dimensions

Purpose & Capability: okThe name/description (video understanding, summarization, extracting titles/descriptions/duration) matches the instructions and resources which reference YouTube/Bilibili/Tencent APIs and optional download tools. Nothing requested or described is unrelated to video analysis.
Instruction Scope: noteInstructions remain within the stated purpose (identify platform, fetch metadata, extract subtitles/audio, summarize). They mention using third-party APIs and downloading audio/subtitles for speech-to-text, but do not instruct reading unrelated local files or exfiltrating data. Note: using download + STT may cause the agent to fetch and store video/audio data — a privacy consideration rather than an incoherence.
Install Mechanism: noteThe skill is instruction-only and includes no install spec (low static risk). The resources advise installing yt-dlp via pip for downloads; that is an optional external package installation the user/agent would perform and is not bundled. Installing third-party packages (pip/ PyPI) is a normal choice but increases attack surface if done automatically — the bundle itself does not perform that install.
Credentials: okThe skill declares no required env vars or credentials. The references correctly show where a YouTube Data API key would be used if the agent opts to call that API. No unrelated secrets or config paths are requested.
Persistence & Privilege: okThe skill does not request persistent presence (always:false), does not modify other skills/config, and does not declare privileged system access. Autonomous invocation is allowed by platform default but is not combined with other high-risk factors here.