ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

video2podcast

v1.0.2

Convert bookmarked videos from YouTube, X (Twitter), and other sites into a podcast RSS feed hosted on Cloudflare R2. Use when the user says things like "add...

0· 66·0 current·0 all-time
byRyan@ryandeathridge
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description match the included code: yt-dlp + ffmpeg to extract audio and boto3 to upload to Cloudflare R2 and publish an RSS feed. However, the registry-level 'Requirements' block lists no required environment variables and only a brew ffmpeg install, while the SKILL.md and script require multiple R2 credentials and pip packages (yt-dlp, boto3). That mismatch is an incoherence in the package metadata (likely packaging/registry error) and should be clarified.
Instruction Scope
The SKILL.md and the script stay within the stated purpose: downloading audio, converting, writing state (~/.openclaw/video-podcast-state.json), and uploading feed and files to R2. The script reads ~/.openclaw/.env for credentials and may use yt-dlp's cookiesfrombrowser feature (reads local browser cookies if enabled). No unrelated system paths, hidden remote endpoints, or broad exfiltration are present in the provided code, but the cookie reading and local state writes are noteworthy and documented in the instructions.
Install Mechanism
Install steps use standard package sources: brew for ffmpeg and pip for yt-dlp and boto3, which are expected for this functionality. The registry manifest (Requirements) lists only brew/ffmpeg while SKILL.md's metadata and instructions also require pip packages — this mismatch in declared install spec vs. runtime requirements is an installation/packaging inconsistency that could lead to runtime failures if ignored.
Credentials
The environment variables the script requires (VIDPOD_R2_ACCESS_KEY, VIDPOD_R2_SECRET, VIDPOD_R2_ENDPOINT, VIDPOD_R2_BUCKET, VIDPOD_PUBLIC_BASE) are appropriate and necessary for uploading to Cloudflare R2. They are sensitive credentials and the SKILL.md marks them as such. Two concerns: (1) the registry metadata shown at the top of the evaluation incorrectly lists 'Required env vars: none' which contradicts the script — that discrepancy should be resolved before trusting the package listing; (2) optional cookie access (VIDPOD_COOKIE_BROWSER) lets yt-dlp read local browser cookies — if you enable that, be aware it reads local cookie stores (yt-dlp handles this) and could expose session cookies to source sites (not to R2).
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills or system-wide agent settings. It persists its own state and expects the user to store credentials in ~/.openclaw/.env — this is consistent with a user-installed utility. No excessive platform privileges are requested.
What to consider before installing
What to check before installing: 1) Metadata mismatch: the registry summary omitted required env vars and pip deps — trust the SKILL.md/script, not the truncated registry line. Expect to provide Cloudflare R2 credentials (access key + secret) and the R2 endpoint/bucket/public URL. 2) Limit credentials: create an R2 API key restricted to only Object Read/Write for the specific bucket, not account-wide admin, and rotate it if possible. 3) Test with a disposable bucket/account first (to avoid exposing real data). 4) Cookie access: if you do NOT want the skill to read local browser cookies, set VIDPOD_COOKIE_BROWSER=none; otherwise understand yt-dlp may read local browser cookie stores to access age-restricted content. 5) Installation: run pip installs in a virtualenv and verify ffmpeg is installed from an official source; the install sources here are standard (brew, pip). 6) Inspect and run the included script in a sandbox before granting credentials — the code writes state to ~/.openclaw and uploads files to the configured public bucket. 7) Legal/privacy: ensure you have the right to redistribute audio from videos you convert and that making the bucket public matches your privacy needs. If you want this skill but are unsure about the metadata mismatch, ask the publisher to correct the registry manifest to declare the required env vars and pip installs.

Like a lobster shell, security has layers — review code before you run it.

latestvk979j1nvqv174xfjjnkqz5vfn983gkpp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsffmpeg

Install

Install ffmpeg (audio conversion)
Bins: ffmpeg

Comments