ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

video-transcriber

v1.0.0

Transcribe speech from videos

0· 55·0 current·0 all-time
by@jpengcheng523-netizen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description (video transcription) matches the requested TRANSCRIPTION_API_KEY in SKILL.md, which is appropriate for a transcription service. However, the registry metadata declares no required env vars or credentials while the instructions explicitly require TRANSCRIPTION_API_KEY — an inconsistency that should be explained by the author.
!
Instruction Scope
SKILL.md tells the agent to run `python3 scripts/video_transcriber.py`, but the skill bundle contains no scripts or code. That means the instructions either assume code exists elsewhere (not provided) or will cause the agent to fetch or generate code at runtime — a behavior that broadens scope and risk. The instructions also ask for an API key but give no guidance about the vendor/service or where the key will be sent.
Install Mechanism
There is no install spec and no code files — lowest install risk. However, the missing script increases runtime ambiguity (agent may try to obtain or run external code).
!
Credentials
SKILL.md requires a TRANSCRIPTION_API_KEY (reasonable for a transcription integration) but the skill metadata lists no required env vars or primary credential. The discrepancy between declared requirements and runtime instructions is a red flag.
Persistence & Privilege
Skill is not always-enabled and uses default autonomous invocation behavior. It does not request persistent system-wide configuration or declare elevated privileges in the manifest.
What to consider before installing
This skill's README tells you to run a local Python script and to set TRANSCRIPTION_API_KEY, but the package you were given contains no script and the metadata doesn't declare that env var. That could be sloppy packaging or an attempt to make the agent fetch/run external code. Before installing or providing any API key: (1) ask the publisher for the missing script or a full source listing, (2) verify which transcription service the API key is for and only provide a scoped/test key, (3) prefer running in a sandbox, and (4) avoid giving high-privilege credentials. If the author can't explain the mismatches, treat the skill as unsafe.

Like a lobster shell, security has layers — review code before you run it.

latestvk973nr6ybf83wyp278fvgpyfxh83jd8y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments