ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video To Text

v0.1.0

Video to text converter. Downloads videos from Bilibili using bilibili-api, from other sites using yt-dlp, then transcribes audio using faster-whisper. Use w...

1· 384·2 current·2 all-time
by@lkyyyy320
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the code and README: script downloads videos (bilibili-api or yt-dlp) and transcribes with faster-whisper. Required tools and libraries (yt-dlp, bilibili-api, ffmpeg, faster-whisper) are appropriate for the stated task.
Instruction Scope
SKILL.md and the script limit actions to downloading audio and transcribing. The README instructs users to extract Bilibili cookies via browser DevTools — this is necessary for authenticated Bilibili downloads but is sensitive; the skill does not attempt to transmit credentials anywhere else. The script runs yt-dlp via subprocess and performs HTTP GETs for audio URLs (expected).
Install Mechanism
No automated install spec; instructions tell user to pip install listed packages and ensure ffmpeg. This is low-risk and transparent.
Credentials
The skill does not request environment variables or external credentials by default. It does require Bilibili session cookies for downloading private/age-restricted content; those are provided via CLI or editing the script. Requesting these specific cookies is proportionate to Bilibili access, but storing credentials in the script or exposing them carelessly is a security risk.
Persistence & Privilege
Skill is not always-enabled, does not request special platform privileges, and does not modify other skills or system-wide settings.
Assessment
This skill appears to do what it says: download video/audio and transcribe it locally. Before using it: (1) review the script locally (it’s short and readable) and run in an isolated environment (virtualenv, container). (2) Be cautious when supplying Bilibili credentials: copy SESSDATA/bili_jct/buvid3 only from your browser and do not paste them into shared repos or logs; prefer passing them on the command line for ephemeral use. (3) Ensure yt-dlp and ffmpeg are installed from trusted sources because the script invokes yt-dlp as a subprocess. (4) Expect large model downloads and disk usage for medium/large faster-whisper models. If you want higher assurance, run the script on a machine/account where leaked cookies would have limited impact.

Like a lobster shell, security has layers — review code before you run it.

latestvk9717fn3y90f383vfrb8r3p0fx824yed

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments