Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
video-subtitle-skill
v1.0.0为视频/音频自动生成字幕,支持多语言识别、翻译、说话人分离、字幕烧入视频
⭐ 0· 238·3 current·3 all-time
byWan Shuaibing@qwerty0205
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's description and code use the SenseAudio ASR API and therefore require an API key and ffmpeg/ffprobe, but the registry metadata declares no required environment variables or required binaries. That omission is inconsistent: a subtitle generator that calls an external ASR certainly needs an API key and system media tools.
Instruction Scope
Runtime instructions tell the agent to run the included Python script (expected) and to read the generated text file for summarization (expected). However the SKILL.md first step prints the API key with echo (echo "SENSEAUDIO_API_KEY=$SENSEAUDIO_API_KEY") which can expose the secret in logs/outputs — this is an unnecessary secret leak. Instructions otherwise stay within the stated purpose and reference only the input file and generated outputs.
Install Mechanism
There is no install spec (instruction-only), which minimizes installer risk. However the skill ships an executable script (scripts/video_subtitle.py) but does not declare any installation steps for Python dependencies beyond documenting 'requests' and system deps in README/USAGE — this is a minor inconsistency (code is present but no install automation).
Credentials
The code requires a single external credential (SENSEAUDIO_API_KEY) and expects ffmpeg/ffprobe on PATH, but the registry metadata lists no required env vars or binaries. Requiring an API key is proportionate to the purpose, but failing to declare it in metadata is a security/operational gap. Additionally, the SKILL.md's practice of echoing the API key risks exposing it; this is disproportionate and unnecessary.
Persistence & Privilege
The skill does not request always:true, does not declare edits to other skill configs, and has no special persistence or elevated privileges. It runs as a one-off script and outputs local files.
What to consider before installing
This skill largely does what it claims (extract audio, call SenseAudio, write SRT/VTT/TXT, optionally burn subtitles), but there are important mismatches you should address before use: 1) The package metadata does not declare the required SENSEAUDIO_API_KEY or ffmpeg/ffprobe even though the script needs them — treat that as an omission, not a feature. 2) The SKILL.md echoes the API key to stdout which can leak the secret to logs or other observers; remove that echo or avoid running it. 3) Review the included scripts (scripts/video_subtitle.py) for any code paths that post data to endpoints you don't expect (the script appears to call only https://api.senseaudio.cn). 4) Run the skill in an isolated environment (or with an API key with limited quota) until you confirm behavior. 5) If you plan to install, ensure ffmpeg/ffprobe are present and supply the SENSEAUDIO_API_KEY securely (do not paste it into chat or run the provided echo). If you want higher confidence, ask the author to update metadata to declare the env var/binaries and to remove the secret-echoing line.Like a lobster shell, security has layers — review code before you run it.
latestvk976shdc781q9qbjsgdne6h03d833pdp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.