Skillv1.0.2

ClawScan security

百度智能云VOD视频翻译 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 17, 2026, 5:48 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill appears to implement a genuine Baidu VOD video-translation integration, but its declared metadata and install requirements are inconsistent with the actual code and instructions (missing environment declarations and runtime dependencies), so proceed with caution and verify before installing.
Guidance: This skill appears to be a real Baidu VOD translator, but there are mismatches you should resolve before installing. Verify that you are comfortable providing BAIDU_VOD_AK and BAIDU_VOD_SK (the scripts will require them); run the code in an isolated environment if possible. Check that Python dependencies (notably the 'requests' library) and any external CLI tools (e.g., Baidu Netdisk/`bdpan`) are available or declared. Ask the publisher to fix the metadata so required env vars and dependencies are declared, and review the scripts yourself (or have a trusted reviewer do so) to confirm there are no hidden endpoints or unexpected behaviors before running with your credentials or sensitive files.

Review Dimensions

Purpose & Capability: noteName, description, SKILL.md and the included scripts all implement a Baidu VOD (vod.bj.baidubce.com) translation workflow (upload media, create projects/tasks, translate subtitles/tts). Requiring BAIDU_VOD_AK/BAIDU_VOD_SK is reasonable for this purpose, but the skill registry metadata lists no required env vars while both SKILL.md and scripts explicitly require those credentials — an inconsistency that should be corrected.
Instruction Scope: okSKILL.md limits runtime actions (collect parameters, require user confirmation, then run python3 scripts). It explicitly instructs the agent to scan local folders (Glob) and export BAIDU_VOD_AK/BAIDU_VOD_SK before running. These file-system and credential accesses are within the scope of video translation, but they do mean the agent will read local files and use user credentials — expected but worth noting.
Install Mechanism: concernThere is no install spec (instruction-only) and code files are included; that is lower-risk than arbitrary remote downloads. However the scripts import third-party Python modules (requests) and call external tools (subprocess calls for Baidu Netdisk/`bdpan`) but the skill metadata only declares python3 as a required binary and lists no Python package dependencies. Missing dependency declarations and reliance on external CLI tools are an operational and coherence concern.
Credentials: concernThe code and SKILL.md require BAIDU_VOD_AK and BAIDU_VOD_SK (and implicitly may rely on a logged-in Baidu Netdisk CLI), but the registry metadata lists no required environment variables. Requesting Baidu VOD credentials fits the stated purpose, but failing to declare them in metadata is an incoherence that could mislead users. No other unrelated credentials are requested.
Persistence & Privilege: okThe skill is not marked always:true and does not request elevated or persistent system-wide privileges. It does interact with local files and may invoke external CLIs (e.g., bdpan) but does not attempt to modify other skills or system configs in the provided files.