Skillv3.2.1

ClawScan security

Video Download Transcribe · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 19, 2026, 11:59 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what its name says (download + transcribe), but its instructions and shipped code request undeclared credentials, reference hard-coded user paths, and rely on external services — the pieces are inconsistent enough that you should review before installing.
Guidance: Key points to consider before installing: - Missing declared env vars: the manifest lists no required environment variables, but the code and SKILL.md expect DOUYIN_CHROMIUM_PATH and several API keys (SILICONFLOW_API_KEY, MINIMAX_API_KEY, TikHub token, etc.). Ask the author to declare every required secret in the skill metadata before installing. - Inspect setup.sh and server.py: setup.sh will install Playwright/Chromium and assumes specific venv and repo locations; server.py contains hard-coded absolute paths (/Users/kk/...). These paths cause the skill to try importing code outside the skill folder — review those imports and remove or fix hard-coded paths. - External services & credentials: the skill will call third-party endpoints (liuxingw.com, tikhub, api.minimax.chat, api.siliconflow.cn). Do not provide unrelated credentials (AWS, GitHub, global OpenAI key) to make it work. If you must use cloud STT, restrict keys to a dedicated minimal-scope account and prefer local models. - Run in a contained environment first: install and run the setup and server in a sandboxed VM, container, or isolated user account. Verify what files are written (transcripts dir), what network calls are made, and which processes are spawned. - Prefer local-only configuration: if you only need local downloads + local whisper, disable or remove cloud/STT branches in server.py and avoid running the parts that call remote APIs. - If you plan to trust it, ask the maintainer to: (1) remove hard-coded absolute paths, (2) list all required env vars and secrets in the manifest, (3) provide an installation spec that doesn't rely on guessing user venv locations, and (4) document what external domains are contacted and why. If you want, I can: - Extract and list every external domain/endpoints the skill calls from server.py and SKILL.md, and - Produce a minimal checklist of commands to run in a disposable container to validate behavior safely.

Review Dimensions

Purpose & Capability: concernName/description match the shipped behavior (yt-dlp, ffmpeg, local whisper). However the shipped code and requirements reference multiple cloud services and API keys (SILICONFLOW_API_KEY, MINIMAX_API_KEY, THIRD_PARTY_API, TikHub) and include 'openai' packages in requirements even though the manifest declares no required credentials. The manifest declares no env vars but SKILL.md and server.py expect DOUYIN_CHROMIUM_PATH and several secret keys — a mismatch that is disproportionate to the stated simple downloader/transcriber purpose.
Instruction Scope: concernSKILL.md instructs running setup.sh, using mcporter to call local MCP endpoints, and to import/run local Python servers. Instructions refer to environment variables (DOUYIN_CHROMIUM_PATH) and to using remote services (TikHub, third-party parse APIs). The runtime instructions and server.py perform network calls to third-party endpoints, may invoke subprocesses that run Playwright browser code, and read/write transcript files. They also reference and attempt to import code from absolute user-specific paths (/Users/kk/...), which is scope creep and may cause the skill to access files outside its declared workspace.
Install Mechanism: noteThere is no formal manifest install spec, but the included setup.sh will drive Playwright to download Chromium via a known mirror (npmmirror) and references cloning or using an external repo (github.com/openclaw/openclaw-media). Those are traceable, not obfuscated downloads. Still, setup.sh assumes particular local paths and a specific virtualenv layout; running it will write files and may pull remote dependencies (playwright/chromium).
Credentials: concernThe skill declares no required env vars but the code expects and uses multiple environment variables and API keys (DOUYIN_CHROMIUM_PATH, DOUYIN_STT_MODE, SILICONFLOW_API_KEY, SILICONFLOW_BASE_URL, MINIMAX_API_KEY, WHISPER_MODEL_DIR, TRANSCRIPTS_DIR, DOUYIN_THIRD_PARTY_API, etc.). Some are sensitive (API keys) and are not listed in the skill metadata; that's an incoherence and a potential risk of accidental credential exposure if you supply unrelated keys to make it work. The skill also depends on network access and external services (TikHub, liuxingw.com, api.minimax.chat, api.siliconflow.cn).
Persistence & Privilege: concernThe skill does not request always:true, but the shipped code references and imports from absolute paths outside the skill workspace (e.g., /Users/kk/.openclaw/mcp-servers/douyin-analyzer). Those hard-coded paths could cause the skill to import or execute code residing elsewhere on disk if present. The setup script will install Playwright/Chromium and suggests registering an MCP server and background transcription (transcripts directory). While this is expected for a long-running transcriber, the cross-path references and potential to run subprocesses that execute embedded Python snippets increase the attack surface and persistence-like effects.