Skillv1.0.1

ClawScan security

Video Subtitle Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 10, 2026, 6:08 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and runtime instructions match its stated purpose (transcribe with WhisperX and translate via an LLM); the main issues are a small metadata omission and operational cautions (model downloads, token costs), but nothing indicates intentional misdirection.
Guidance: This skill appears to do what it says: local transcription with WhisperX and optional translation via a remote LLM. Before installing or running: 1) Expect large downloads and significant disk/compute usage (PyTorch, WhisperX, model weights). 2) Translation calls a remote API and will consume tokens (real cost) — provide an API key only if you accept charges. 3) The skill's registry metadata does not declare the required OPENAI_API_KEY / OPENAI_BASE_URL even though SKILL.md and translate.py use them — confirm this with the skill author or assume you'll need to set OPENAI_API_KEY to enable translation. 4) Install into a virtual environment and review the translate.py code if you need to confirm which endpoints are called (default base URL is openrouter.ai). 5) If you have concerns about third-party endpoints, override OPENAI_BASE_URL to a provider you trust or skip the translation step and run transcription only.

Review Dimensions

Purpose & Capability: okName/description (video subtitle generation + translation) align with the included scripts (transcribe.py, translate.py, run.py), requirements.txt, and README. WhisperX is used for transcription and an LLM client for translation — these are expected for the stated functionality.
Instruction Scope: noteSKILL.md and the scripts clearly instruct extracting audio, running WhisperX locally, and calling a remote LLM for translation. The instructions require setting OPENAI_API_KEY and optionally OPENAI_BASE_URL for translation and warn about costs and asking user consent before translation — appropriate scope. Minor inconsistency: registry metadata declared no required env vars even though the runtime expects OPENAI_API_KEY/OPENAI_BASE_URL when doing translations.
Install Mechanism: okThere is no embedded install script; the skill is instruction-and-code-only. It relies on pip installing standard packages (whisperx, torch, torchaudio, openai) which is typical for this use case. Note: these packages and model weights are large and pip install will fetch code from PyPI (normal but heavy).
Credentials: noteThe skill uses only environment variables appropriate to its operation (VIDEO_DIR, OUTPUT_DIR, TRANSLATED_DIR, TARGET_LANG, WHISPER_MODEL, and OPENAI_API_KEY/OPENAI_BASE_URL for translation). However, the registry metadata lists no required env vars while SKILL.md and translate.py require an API key for translation — a mismatch the user should correct/confirm before install.
Persistence & Privilege: okThe skill does not request persistent/always-on privileges. always is false and it does not modify other skills or system-wide settings. It runs as local scripts and only uses env vars and filesystem paths under the user's control.