ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Analyzer CN

v1.0.0

视频内容分析工具。支持B站、抖音、今日头条视频链接。 发送视频URL → 自动下载 → 抽帧 → 本地AI逐帧识别 → 综合总结。 使用本地minicpm-v模型,无需云端API。

0· 27·0 current·0 all-time
by@murrayhoung
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the included scripts: download (douyin_download.py) and per-frame analysis (analyze_frames.py) submitting base64 images to a local model API. Requested tools (ffmpeg, yt-dlp, Python, Chrome, local minicpm-v/ollama) are consistent with the stated workflow. Minor mismatch: SKILL.md refers to references/analyze.py but the repo has scripts/analyze_frames.py — likely a documentation vs file-layout inconsistency that will break automated runs unless corrected.
!
Instruction Scope
Instructions tell the agent to extract Douyin video URLs via browser devtools (Chrome MCP) and to possibly use an external 'agent-reach' douyin MCP service. Browser automation means the agent would interact with the user's browser DOM (potentially exposing pages/tokens) — this is sensitive. The skill also instructs manipulating the PATH in a PowerShell snippet and uses hard-coded local temp paths. All network calls in code target video hosts and localhost:11434 (a local model server), but the mention of an external agent-reach MCP is an out-of-band dependency that could route data off-device if used.
Install Mechanism
No install spec (instruction-only plus small Python scripts). Nothing in the manifest downloads or executes remote archives during install. Risk from install-time code is low.
Credentials
The skill requests no environment variables or credentials (good). However it uses hard-coded Windows paths (C:\Users\39535\.openclaw\workspace\tmp and D:\AI\ffmpeg), and assumes a local model API at http://localhost:11434 — these are plausible but user-specific assumptions. The browser-based extraction step could access browser state; SKILL.md explicitly warns not to use cookies-from-browser due to Chrome cookie encryption, but the agent still needs browser access to retrieve video.src. No secrets are requested by the skill itself.
Persistence & Privilege
always is false and there are no service/account modifications. The skill does not request permanent platform-level privileges. It writes temporary files to a workspace tmp path (documented) and expects the user/agent to clean them up.
What to consider before installing
What to check before installing: - Correctness: SKILL.md refers to references/analyze.py but the provided script is scripts/analyze_frames.py — confirm filenames and paths so the agent will actually run the analyzer. - Local model: The analyzer sends base64 images to http://localhost:11434/api/generate (common Ollama default). Ensure you run and trust a local model server on that port before using the skill; otherwise the requests will fail or hit an unexpected service. - Browser automation: The skill asks the agent to extract video.src from pages using Chrome devtools (MCP). That requires the agent to interact with your browser; consider whether you trust the agent to access your open browser tabs and DOM. Prefer manually supplying the direct video URL if you are uncomfortable. - External services: The doc mentions an optional 'agent-reach' douyin MCP service. Avoid using any external MCP service unless you understand where data (video URLs or frames) will be sent — that could leak video content or metadata off your machine. - Test with non-sensitive content first: Run the skill on a short public video to confirm behavior, temp file locations, and that only localhost and the video hosts are contacted. - Clean up: Confirm the temporary workspace path and delete temp videos/frames after use (the docs describe cleanup but verify it runs). If the author provides corrected SKILL.md (pointing to the actual analyzer file) and clarifies that no external agent-reach service is required (or documents exactly when it's used and where it runs), this assessment could be upgraded to 'benign'.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bnnz7w6byxpak79wnbtfdax847ej3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments