Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Video Content Analyzer
v0.1.0下载视频并用AI分析内容 - 支持B站/抖音/YouTube等平台,提取语音内容并分析视频结构
⭐ 0· 363·6 current·6 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name and description match the runtime instructions: downloading (yt-dlp), extracting audio (ffmpeg), transcribing (Whisper) and analyzing frames is coherent and expected for a video analysis tool.
Instruction Scope
SKILL.md instructs the agent to download arbitrary URLs with yt-dlp, run ffmpeg/ffprobe and call the Whisper API. It also references storing/reading an OpenAI API key from ~/.openclaw/openclaw.json and mentions fetching danmaku/subtitles — the skill thus reads/writes a home‑directory config and will execute arbitrary command-line tools. Those runtime file and exec operations are broader than the registry metadata indicates and should be disclosed.
Install Mechanism
No install spec (instruction-only), which reduces risk from downloads. However the instructions tell users to run pip3 install --break-system-packages yt-dlp and to install ffmpeg via package managers; the --break-system-packages flag can alter system Python packaging and may be undesirable. Overall install actions are plausible but require manual review.
Credentials
Registry metadata claims no required env vars or config paths, but SKILL.md explicitly requires OPENAI_API_KEY (or an entry in ~/.openclaw/openclaw.json) for Whisper. This mismatch is material: the skill needs a private API key and will read/write a home config file but that was not declared in metadata.
Persistence & Privilege
always is false and there is no install that forces persistent, system-wide changes beyond recommendations to put the key in ~/.openclaw/openclaw.json. The skill does not request special platform-level privileges in the manifest.
What to consider before installing
This skill appears to do what it says (download videos, extract audio, transcribe with Whisper, analyze frames), but the manifest omitted that it needs an OpenAI API key and may read/write ~/.openclaw/openclaw.json. Before installing or running: 1) confirm you are comfortable granting Exec permission to run yt-dlp/ffmpeg and downloading arbitrary URLs (copyright risk); 2) do not reuse a high‑privilege OpenAI key — create a limited/test key or set usage limits; 3) avoid running pip with --break-system-packages on critical systems; 4) audit any secret stored in ~/.openclaw/openclaw.json and consider keeping it in an isolated environment; 5) ask the publisher to update metadata to declare OPENAI_API_KEY and the config path so the required permissions are explicit. If you need higher assurance, run the workflow manually in a sandbox first.Like a lobster shell, security has layers — review code before you run it.
latestvk974fh3vm0hfs1gyzqm8ch4bxx82px7t
License
MIT-0
Free to use, modify, and redistribute. No attribution required.