ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

video-translation

v1.0.0

Translate and dub videos from one language to another, replacing the original audio with TTS while keeping the video intact.

0· 254·0 current·0 all-time
bykusuriuri@ksuriuri
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill's code and SKILL.md match the stated purpose (download subtitles, translate them, generate TTS audio, and replace the video's audio). However, the registry metadata lists no required env vars or binaries while SKILL.md explicitly requires NOIZ_API_KEY and ffmpeg — this mismatch is a documentation/metadata inconsistency that should be corrected.
!
Instruction Scope
Runtime instructions direct the agent to send the original video's audio (via --ref-audio-track) to the Noiz TTS backend so it can clone the voice and align emotion/duration. That means user audio will be uploaded to a third-party service; the SKILL.md also tells the agent to optionally persist the NOIZ_API_KEY into a project .env or run the tts.sh config helper. These behaviors are coherent with the skill's purpose but raise privacy and secret-handling concerns and should be made explicit to end users.
Install Mechanism
This is an instruction-only skill with two small local scripts. No network downloads or archive extraction are performed by the skill itself, and the scripts perform only local file operations and ffmpeg invocations. That is low-risk from an install mechanism perspective.
Credentials
The SKILL.md requires a NOIZ_API_KEY (for the Noiz TTS backend) and ffmpeg. These are proportionate to a TTS/voice-cloning workflow, but the registry metadata omitted these requirements. Also note the SKILL.md instructs the agent to offer to persist the API key to .env or via tts.sh — storing secrets in plaintext project files has risks and should be optional and documented.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and does not require system-wide privileges. It does suggest optionally writing the NOIZ_API_KEY to a project .env, which affects repository files but is within expected installer behavior for an API-backed skill.
Assessment
Before installing: 1) Be aware this skill uploads original audio to the Noiz backend when you pass --ref-audio-track (voice cloning) — do not upload sensitive or private recordings unless you trust Noiz and have permission. 2) The SKILL.md requires NOIZ_API_KEY and ffmpeg, but the registry metadata omitted these; ensure you obtain a NOIZ_API_KEY and have ffmpeg installed. 3) The agent may offer to persist the API key to a .env file or call tts.sh config — prefer not to store secrets in plaintext in shared repos; consider using a secure secret store. 4) Verify the referenced youtube-downloader and tts skills come from trusted sources before cloning them into your skills/ folder. 5) If you need higher assurance, inspect the tts skill's code (network calls, where it sends audio) and test the workflow with non-sensitive sample videos first.

Like a lobster shell, security has layers — review code before you run it.

latestvk976wpcsbpbfn0n33v1x8jyx5582kp9h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments