Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
虾转音频
v1.3.1🎵 音视频格式转换与处理工具箱。基于 FFmpeg + Whisper AI,支持:格式转换、视频提取音频、合并、分割、压缩、查看信息、音频转文字。
⭐ 1· 73·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description state FFmpeg + Whisper and the bundled code (audio-forge.js, menu.js, transcribe.py) implements those features. However the registry metadata at the top of the report lists no required binaries or env vars while SKILL.md and the code clearly require FFmpeg, Python, and (optionally) HF_ENDPOINT and XZA_* environment variables. This is likely a packaging/metadata omission rather than malicious misalignment, but it is an inconsistency to be aware of.
Instruction Scope
SKILL.md and the code limit actions to running ffmpeg, invoking Python/transcribe.py, reading/writing local files provided by the user, and (expected) downloading Whisper models from the HuggingFace endpoint. The instructions do not ask to read unrelated system files or exfiltrate data to unknown endpoints.
Install Mechanism
There is no automated install spec; this is instruction + code bundle. The transcribe step depends on the faster-whisper Python package and will cause the Whisper model(s) to be downloaded from the HF_ENDPOINT on first run. Model downloads can be large (MBs–GBs) and are normal for this functionality; downloads come from HuggingFace by default (SKILL.md and transcribe.py default HF_ENDPOINT to https://huggingface.co).
Credentials
The skill does not request access to secrets or unrelated credentials. Declared environment variables (XZA_FFMPEG, XZA_FFPROBE, XZA_SCRIPTDIR, XZA_MODELDIR, HF_ENDPOINT) are reasonable for locating binaries, scripts, and controlling model download source. No other env-vars or credentials are accessed in the code.
Persistence & Privilege
The skill is not marked always:true and does not request elevated or persistent platform privileges. It does not modify other skills or system-wide agent settings. Autonomous invocation remains enabled by default (normal for skills) but is not combined with other concerning factors.
Assessment
This skill appears to do what it claims: FFmpeg-based audio operations plus Whisper transcription. Before installing, ensure you have FFmpeg and Python available and be prepared for first-run downloads of Whisper models (can be hundreds of MBs to multiple GBs) from HuggingFace or a mirror you configure via HF_ENDPOINT. Note the registry metadata omitted required binaries/env — that mismatch is likely a packaging oversight; if you need strict inventory or auditing, ask the author to update the skill metadata. If you have sensitive audio, remember transcription produces local text files; run the skill in a sandbox or test environment if you want to validate behavior before using it on production data.audio-forge.js:28
Shell command execution detected (child_process).
menu.js:71
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk979hp6wers25nkqvabwxbryys84nszx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.