Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Youtube Editor
v1.0.14Automate YouTube video editing: download videos, transcribe with Whisper, analyze content using GPT-4, and create Korean SEO-optimized metadata plus consiste...
⭐ 0· 2.4k·0 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md and the included script clearly require an OpenAI API key (OPENAI_API_KEY) and optionally NANO_BANANA_KEY for image generation; however the registry metadata lists no required environment variables or binaries. The skill also requires FFmpeg and optional Python packages (playwright, rembg), which are declared only in SKILL.md/script comments, not in registry metadata. These mismatches mean the skill's declared requirements in the registry are incomplete/untrustworthy.
Instruction Scope
The runtime instructions and script stay within the advertised purpose: downloading video or using a local file, extracting audio, transcribing with Whisper, analyzing with GPT, and rendering thumbnails. Notable scope items: it executes subprocesses (ffmpeg, uv run), reads user-provided avatar/font files, writes transcripts/thumbnails to the working directory, and will execute a separate skill script if nano-banana-pro is present. The script includes URL validation to block localhost/private IPs and HTML-escapes text before embedding in HTML, which is good. Cross-skill execution (uv run of a script in another skill) expands the attack surface and should be reviewed before use.
Install Mechanism
There is no install spec (instruction-only skill with one script file). That reduces supply-chain risk because nothing is auto-downloaded or written during install. The script expects system packages (ffmpeg) and Python libs but does not fetch arbitrary remote archives.
Credentials
At runtime the script requires OPENAI_API_KEY (mandatory) and optionally NANO_BANANA_KEY. The registry metadata, however, declared no required env vars — a clear inconsistency. The requested credentials are proportional to the feature set (Whisper/GPT + optional image API), but the registry omission is a red flag: the agent may be installed without communicating that it will need your OpenAI key. The skill does not request unrelated secrets, but you should confirm before providing keys.
Persistence & Privilege
The skill does not request 'always: true' or otherwise demand permanent, forced inclusion. It does not modify other skills' configs. Its ability to call another skill's script increases blast radius only if that other skill is present; by default it only runs when invoked and only if nano-banana-pro is installed.
What to consider before installing
Before installing or running this skill: 1) Expect to provide your OPENAI_API_KEY (required for transcription and GPT). The registry metadata does not declare this — the discrepancy is suspicious. 2) Install FFmpeg and the optional Python dependencies (playwright, rembg) if you want thumbnails. 3) The skill can call a separate nano-banana-pro script via fixed paths; only allow that if you trust the nano-banana-pro skill source (review its code). 4) The script writes files (transcripts, HTML, PNG) and reads your avatar/font files — don’t run it on machines with sensitive local data unless you audited the script. 5) If you’re not comfortable auditing the code or the external nano-banana-pro skill, treat this as untrusted and do not provide API keys or run on private videos. If you want higher assurance, ask the author to update the registry metadata to declare required env vars and system dependencies and to document exactly which external scripts it will execute.Like a lobster shell, security has layers — review code before you run it.
latestvk971a5jc1b9krqr44wk0t0z9z980yykr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.