ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

transcription-speech-to-text-hebrew

v1.0.3

Transcribe audio or video files using the TextOps/Modal API. Use this skill whenever the user wants to transcribe a video or audio file, mentions an mp4/mp3/...

0· 29·0 current·0 all-time
by@netanelrotem
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and SKILL.md implement a transcription flow (local upload, YouTube download, polling TextOps endpoints) which matches the skill name/description. However the registry metadata claims no required environment variables while both SKILL.md and transcribe.py require a TEXTOPS_API_KEY — a clear metadata/claim mismatch that should be corrected.
Instruction Scope
SKILL.md confines runtime behavior to gathering files/URLs, optionally downloading YouTube audio, and running the bundled scripts. It also explicitly warns about treating transcript output as untrusted data. The instructions do not request unrelated system files or unrelated credentials.
Install Mechanism
There is no formal install spec (instruction-only), but the included scripts auto-install yt-dlp via pip at runtime (download_audio.py calls pip with --upgrade and --break-system-packages). Auto-installing packages at runtime alters the host environment and is higher-risk than a pure instruction-only skill; the packages come from PyPI (yt-dlp) which is expected for YouTube downloading.
!
Credentials
The skill requires a single service credential (TEXTOPS_API_KEY) used to authenticate requests to text-ops-subs.com; that is proportionate to a cloud transcription service. The main concern is that the registry metadata does not declare this required env var, so users may not be warned before installation. Also note that the API key and audio files are sent to an external service (text-ops-subs.com / agents.text-ops-subs.com), so users must trust that service with potentially sensitive audio.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills or system-wide settings. It runs as-needed and does not request elevated platform privileges.
What to consider before installing
This skill appears to implement a legitimate transcription flow, but proceed with caution: (1) The SKILL.md and scripts require TEXTOPS_API_KEY, but the registry metadata incorrectly lists no required env vars — assume you must supply TEXTOPS_API_KEY to use the skill. (2) Using the skill will upload audio/video and send your API key to text-ops-subs.com; only use it if you trust that service with the content. (3) The included download script auto-installs yt-dlp via pip at runtime (uses --break-system-packages), which modifies your environment — prefer running these scripts in an isolated environment or sandbox. (4) If you need stronger assurance, ask the publisher to fix the registry metadata to declare TEXTOPS_API_KEY, provide a formal privacy/data-retention statement, and/or run the scripts in a disposable VM to verify behavior before giving the key. If you want, I can list the exact network endpoints and files the scripts contact and modify, or produce a minimal checklist to safely test the skill in isolation.

Like a lobster shell, security has layers — review code before you run it.

latestvk97df6czh4d63rsa45s7rpss0184ag39

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments