Video Subtitle Generator
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears purpose-aligned for making subtitles, but translation uses your LLM API key and sends subtitle text to a remote provider, and setup installs large unpinned ML packages.
This skill is reasonable for subtitle generation. Before installing, confirm you are comfortable with large ML package/model downloads. Before translating, confirm the API provider, base URL, billing impact, and whether the video's spoken content is safe to send to that provider. Use a virtual environment and keep generated .json/.srt transcript files in a location appropriate for their sensitivity.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may pull large and changing third-party packages from package repositories.
The skill asks users to install dependencies from this requirements file, but the packages are not version-pinned. This is common for small tools, but installed code may change over time.
whisperx torch torchaudio openai
Install in a virtual environment, review the packages, and consider pinning known-good versions before production or sensitive use.
Translation can consume paid API credits and uses whatever provider/account is configured.
The translation step uses a user-provided LLM API key. This is expected for the stated translation feature, but it grants access to the user's paid provider account.
parser.add_argument('--api-key', default=os.getenv('OPENAI_API_KEY'), help='OpenAI API key')Use a scoped or low-risk API key where possible, confirm the provider/base URL before translation, and avoid passing secrets on the command line if shell history or process listings are a concern.
Private speech from videos may be sent to an external LLM provider during translation.
Subtitle text is placed into an LLM prompt and sent to the configured remote API endpoint for translation. This is purpose-aligned and disclosed, but it crosses a data boundary.
client.chat.completions.create(
model=model,
messages=[{"role": "user", "content": prompt}],Do not translate sensitive videos through a remote provider unless its privacy and retention terms are acceptable; use local-only transcription when privacy is required.
A malicious or unusual video transcript could cause inaccurate or malformed translated subtitles.
Text extracted from subtitles is inserted directly into the LLM prompt. If processing untrusted videos, spoken or subtitle content could try to influence the translator's response format or content.
prompt += f"{j}. {text}\n"Treat source transcript text as untrusted data; for stronger robustness, delimit source text clearly and instruct the model that source content must not override translation instructions.