Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Video Analyzer
v1.0.1Download, transcribe, and analyze videos from YouTube, X/Twitter, and TikTok with local Whisper processing. Perfect for extracting TL;DRs, timestamps, and ac...
⭐ 0· 663·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description request downloading and local Whisper transcription; required binaries (yt-dlp, ffmpeg, whisper-cli) and the included Python script directly implement that functionality. Homebrew install entries correspond to the declared tools and are proportionate.
Instruction Scope
SKILL.md instructs the agent to run the included script and to read the transcript file it produces — this matches the skill purpose. The script writes files to /tmp, the user's Desktop, and (when models are first downloaded) /opt/homebrew/share/whisper-cpp. One coding concern: the script uses subprocess.run(..., shell=True) with formatted command strings. It attempts to escape single quotes in URLs but does not perform comprehensive sanitization of other user-supplied parameters (e.g., --lang). This is a practical safety note (possible shell-injection vector if malicious input is passed), not an incoherence with the described purpose.
Install Mechanism
Install spec uses Homebrew formulas (uv, yt-dlp, ffmpeg, ggerganov/whisper-cpp). These are expected for local transcription; model downloads use curl from Hugging Face (WHISPER_BASE_URL) which is a reasonable, known host. The large 'max' model may require several GB of disk and time to download — expected behaviour, not malicious.
Credentials
The skill requests no environment variables or secrets. It does write models to a shared Homebrew path and outputs files to Desktop and /tmp, which are consistent with a local transcription/download tool and proportional to its purpose.
Persistence & Privilege
The skill does not request always: true, persistent privileges, or modifications to other skills. It runs on demand and stores models and output files in reasonable locations. No unexpected privilege escalation is present.
Assessment
This skill appears to do exactly what it says: download videos, transcribe locally with whisper-cpp, and produce timestamped transcripts. Before installing, consider: 1) It will install Homebrew packages and download Whisper models (the 'max' model is ~3GB) to /opt/homebrew/share/whisper-cpp — ensure you have disk space. 2) The script writes to /tmp and your Desktop (downloaded media), so expect files on disk. 3) The code runs shell commands via subprocess with formatted strings; while it attempts basic quoting for URLs, avoid passing untrusted or crafted inputs (especially odd --lang values) — review the script if you plan to run it in a security-sensitive environment. 4) The skill does not ask for API keys or try to send transcripts to external endpoints (only model downloads from huggingface and media fetches from the video host), but if you need stronger guarantees, run it in a sandbox or inspect/modify the script to use subprocess calls without shell=True (list form) and stricter input validation. If those trade-offs are acceptable, the skill is coherent and implementationally reasonable.Like a lobster shell, security has layers — review code before you run it.
latestvk97egwr1spvc8q4wb6mf6j2j9982bm13
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎥 Clawdis
Binsuv, yt-dlp, ffmpeg, whisper-cli
Install
Install uv (brew)
Bins: uv
brew install uvInstall yt-dlp (brew)
Bins: yt-dlp
brew install yt-dlpInstall ffmpeg (brew)
Bins: ffmpeg
brew install ffmpegInstall whisper-cpp (brew)
Bins: whisper-cli
brew install ggerganov/ggerganov/whisper-cpp