ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tracked Video Analysis

v1.0.0

Analyze local or linked video files and convert them into structured summaries of features, functions, workflows, or topics. Use when a user wants a walkthro...

0· 262·2 current·2 all-time
byИван Романенко@mrgoodgreen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the provided artifacts: a JS extraction script and a Python structurer that read a local video (video.mp4 or workspace path), produce transcript.jsonl and final_analysis.md, and implement chunked ASR and grouping. There are no unrelated credential requests or unrelated binaries declared.
Instruction Scope
SKILL.md and references/pipeline.md limit actions to local acquisition, chunked ASR, and structured summarization and instruct the agent to read/write files under tmp/video_analysis or the working dir. The included scripts follow this pattern and write status/progress/transcript files. Note: the JS extraction script uses @xenova/transformers pipeline('automatic-speech-recognition', 'Xenova/whisper-tiny'), which will likely download model weights or perform network activity via that library at runtime; this is expected for ASR but should be considered when running offline or in restricted environments.
Install Mechanism
There is no install spec (instruction-only), but the code requires npm packages (@xenova/transformers, ffmpeg-static, ffprobe-static, wavefile) and Python for the structurer. This is not malicious but means the maintainer expects the runtime environment to install dependencies; model artifacts may be fetched by the transformers library at runtime. No arbitrary URL downloads or obscure extract/install steps are present in the skill itself.
Credentials
The skill requires no environment variables or credentials and the scripts do not reference secrets or external config paths. They only access local files (video.mp4, chunk_*.wav, status/log/transcript files).
Persistence & Privilege
Skill is not always-enabled and does not request elevated privileges. It writes progress and result files in the working directory and does not modify other skills or global agent configuration.
Assessment
This skill appears to do what it says: chunk a local video, run ASR, and produce a structured summary. Before running, ensure you: (1) install required npm packages (/@xenova/transformers, ffmpeg-static, ffprobe-static, wavefile) in an isolated environment; (2) expect the transformers library to download ASR model weights (network access and disk space required); (3) provide the video locally or a direct download link as instructed; (4) review and run the scripts in a workspace directory (they write tmp/status/log/transcript/final_analysis files) and avoid feeding sensitive videos unless you trust the environment and any remote model provider; and (5) if you need stricter network control, confirm where the transformer model is sourced from (Xenova/Hugging Face) before allowing runtime downloads.
scripts/transcribe_tracked_light.mjs:25
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

analysisvk97ej366ppj16xakdjg4zk57nn82zmahlatestvk97ej366ppj16xakdjg4zk57nn82zmahtrackingvk97ej366ppj16xakdjg4zk57nn82zmahtranscriptionvk97ej366ppj16xakdjg4zk57nn82zmahvideovk97ej366ppj16xakdjg4zk57nn82zmahwhispervk97ej366ppj16xakdjg4zk57nn82zmah

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments