Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
jl-video-downloader
v1.0.1多平台视频下载和文案提取工具。支持抖音、快手、小红书、B站、YouTube等平台的视频下载和语音转文字功能。当用户需要下载视频、提取视频文案或批量处理视频时激活此技能。
⭐ 0· 38·0 current·0 all-time
by@pyzxs
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The declared purpose (download videos and extract text) matches the scripts' behavior (wrapping uvx jl-video-downloader, calling ffmpeg, using transcription APIs). However the registry metadata claims no required environment variables or credentials while SKILL.md and scripts clearly require SILI_FLOW_API_KEY, DEEPSEEK_API_KEY and optionally cookies for some platforms. That metadata / documentation mismatch is an incoherence.
Instruction Scope
SKILL.md and the included scripts instruct the agent/user to run installation and wrapper scripts, load persistent env files (~/.jl-video-downloader/env), source load_env.sh from shell rc, and execute uvx commands. The instructions will create files in the user's home, modify shell startup files, and execute external installers — all within the tool's scope but outside a purely ephemeral skill action and therefore broader than the metadata suggests.
Install Mechanism
setup.sh will install the 'uv' tool by running curl -LsSf https://astral.sh/uv/install.sh | sh if uv is missing, then uses uv tool install/upgrade to fetch jl-video-downloader. Executing a remote installer via curl|sh is a high-risk pattern (arbitrary remote code executed locally). The skill package itself lacks a registry install spec but contains scripts that perform network installs at runtime.
Credentials
The skill expects several sensitive environment variables (SILI_FLOW_API_KEY, DEEPSEEK_API_KEY) and may ask for cookies (BILIBILI_COOKIES, DOUYIN_COOKIES) for anti-scraping workarounds. Those variables are reasonable for transcription and anti-crawl access, but they are not declared in the skill's metadata (requires.env is empty), which is an important mismatch and increases risk of accidental credential exposure.
Persistence & Privilege
The setup script writes files under ~/.jl-video-downloader, creates a load_env.sh, and appends source lines to ~/.bashrc or ~/.zshrc — persistent changes to the user's shell environment. always is false, but the skill instructs persistent modification of user config, which the user should be aware of and explicitly approve.
What to consider before installing
This skill implements expected downloader/transcription functionality, but exercise caution before installing or running its scripts: (1) SKILL.md and the scripts require SILI_FLOW_API_KEY and DEEPSEEK_API_KEY (and optional platform cookies) even though the registry metadata lists no required env vars — treat those as sensitive secrets. (2) setup.sh will run a remote installer (curl https://astral.sh/uv/install.sh | sh) and then install packages via uv; remote install scripts execute arbitrary code — review the installer URL contents before running. (3) The installer and scripts will create ~/.jl-video-downloader and append a source line to your shell rc (persistent changes); back up ~/.bashrc/.zshrc before proceeding. Recommended steps: inspect setup.sh and the remote installer (download it first instead of piping to sh), verify the upstream jl-video-downloader package source, prefer installing dependencies manually from trusted package managers, and only provide API keys/cookies if you trust the upstream service and have reviewed the code. If you want lower risk, run the tool inside a disposable VM or container rather than on your primary account.Like a lobster shell, security has layers — review code before you run it.
latestvk972pv1emqpwden3sr9j7fv1ds8451nt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.