ClawHub
Back to skill
v1.0.0

video-transcriber

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:15 AM.

Analysis

This is a simple video transcription skill, but it references a missing helper script and an undeclared transcription API key that users should verify before use.

GuidanceBefore installing or using this skill, confirm where the referenced transcription script comes from and use a narrowly scoped transcription API key. The provided artifacts do not show malicious behavior, but the package is incomplete as supplied.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
python3 scripts/video_transcriber.py --input <input> --output <output>

The instructions reference a helper script, while the provided manifest contains only SKILL.md and no code files. This is not malicious by itself, but users should verify the source and contents of any script they run.

User impactThe skill may not work as packaged, and running a separately obtained script would depend on that script's trustworthiness.
RecommendationOnly run the referenced script if it is present from a trusted source and you can review or verify what it does.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
export TRANSCRIPTION_API_KEY="your-api-key"

The skill asks for an API key that is not declared in the registry metadata. This credential is purpose-aligned for transcription, but the provider, scope, and handling are not specified.

User impactA transcription API key could authorize charges or access to a third-party transcription account, depending on the provider.
RecommendationUse a least-privileged API key for the intended transcription service and avoid sharing broader account credentials.