ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

transcribe-he

v1.0.1

Transcribe audio or video files using the TextOps/Modal API. Use this skill whenever the user wants to transcribe a video or audio file, mentions an mp4/mp3/...

0· 52·0 current·0 all-time
by@netanelrotem
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (transcribe via TextOps/Modal API) matches the code and instructions: the scripts call a remote TextOps API and upload files for processing. However the registry metadata lists no required environment variables while SKILL.md and the scripts require TEXTOPS_API_KEY — a clear mismatch in manifest versus runtime requirements.
Instruction Scope
SKILL.md instructs the agent to run included Python scripts which will (a) probe remote URLs, (b) obtain signed upload URLs, and (c) upload local files to external services, then poll remote job status. This behavior is expected for a hosted transcription service but has privacy implications: local files and URL metadata will be transmitted off-device. The skill explicitly warns to treat transcript contents as untrusted, which is good.
Install Mechanism
There is no install spec (instruction-only at registry level) but the skill includes two Python scripts that will be executed. They require Python and third-party libs (requests; moviepy optionally) and may call ffprobe if available. No third-party packages are fetched at install time, but runtime network calls execute code on remote servers.
!
Credentials
At runtime the skill requires a single credential TEXTOPS_API_KEY (used in headers to call text-ops-subs.com). That credential is appropriate for a hosted transcription API, but the registry metadata not listing this required env-var is an inconsistency. You should verify the API provider/domain (https://text-ops-subs.com) before supplying a key, since that key allows the service to process (and retain) your audio.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and does not request system-wide config. It runs as an on-demand, user-invocable skill; autonomous invocation is allowed by default but not exceptional here.
What to consider before installing
This skill will upload user audio/video to a remote TextOps service (text-ops-subs.com) and requires a TEXTOPS_API_KEY — but the registry metadata omitted that requirement. Before installing: (1) verify you trust the TextOps domain and its privacy/retention policy; (2) confirm the API key URL (https://text-ops-subs.com/api/keys) is legitimate; (3) expect that local files may be uploaded (sensitive audio will leave your machine); (4) ensure Python and required libs (requests, optionally moviepy or ffmpeg) are available or run the scripts in an isolated environment; (5) prefer to test with non-sensitive files first; (6) if you need on-device/offline transcription, choose a different skill or tool. If possible, ask the author/registry to correct the manifest to declare TEXTOPS_API_KEY as required and provide a privacy/security statement for the backend service.

Like a lobster shell, security has layers — review code before you run it.

latestvk971s5m5bxvme89y9ntdzrdf3n83jwex

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments