Back to skill
Skillv1.0.1
ClawScan security
Video Intelligence · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 27, 2026, 3:52 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill mostly does what it claims (download videos, read captions, and fall back to OpenAI audio transcription) but the package metadata omits required binaries and the optional OpenAI API key the scripts actually use — and the fallback behavior uploads audio off your machine to OpenAI, so you should understand that before installing.
- Guidance
- Before installing or running this skill: (1) Understand privacy: when captions are not available the script downloads audio and uploads it to OpenAI's transcription API (api.openai.com) using OPENAI_API_KEY — do not provide that key if you don't want audio leaving your machine. (2) The registry metadata does not list required binaries or the optional OPENAI_API_KEY even though the SKILL.md and scripts require yt-dlp, python3, curl (and ffmpeg for some sites) — confirm you have/are willing to install those. (3) Prefer installing yt-dlp and ffmpeg via your OS/package manager rather than blindly running the provided curl | chmod command. (4) Inspect the script locally before running, and consider running it in a confined environment (container/VM) if you have sensitive data. (5) Ask the publisher to update the skill metadata to declare the required binaries and the OPENAI_API_KEY dependency so the registry accurately reflects what will be needed.
Review Dimensions
- Purpose & Capability
- noteThe skill's name and description match the code: yt-dlp is used to fetch captions/downloads, a Python script parses captions, and curl is used to call OpenAI for audio transcription. However, the registry metadata lists no required binaries or env vars while SKILL.md and the scripts require yt-dlp, python3, curl (and optionally ffmpeg) and optionally OPENAI_API_KEY. That metadata omission is an incoherence and should be corrected by the publisher.
- Instruction Scope
- okSKILL.md and scripts stay within the stated purpose: fetching captions, downloading audio/video, parsing captions, and calling OpenAI's transcription endpoint as a documented fallback. The README explicitly warns about audio uploads and gives guidance. The scripts write cached output to /tmp/video-intel and use $HOME for a local yt-dlp fallback; they do not read other system config or unrelated secrets.
- Install Mechanism
- noteThere is no formal install spec in the registry (instruction-only skill). SKILL.md includes a curl command to download yt-dlp from GitHub releases and suggests apt install for ffmpeg. Downloading a binary with curl is common but higher-risk than using a distribution package manager; the instructions will write to ~/bin which is benign but should be performed consciously by the user.
- Credentials
- concernThe registry metadata claims no required env vars, but the script will require OPENAI_API_KEY when captions are unavailable and it falls back to the OpenAI transcription API. That credential request is proportionate to the fallback behavior, but the omission from the declared requirements is an inconsistency. Users must be aware that providing OPENAI_API_KEY causes audio files to be uploaded to api.openai.com.
- Persistence & Privilege
- okNo special persistence or privileged flags are requested (always:false). The skill caches files under /tmp/video-intel and does not modify other skills or system-wide agent settings. It does not try to auto-enable itself or gain elevated privileges.