Back to skill
Skillv1.0.1
ClawScan security
Subtitle Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 8:14 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are coherent with a subtitle/transcription tool — it needs ffmpeg, a SenseAudio API key, and common Python packages and uploads extracted audio to senseaudio.cn for transcription.
- Guidance
- This skill is internally consistent for generating subtitles, but it uploads extracted audio to senseaudio.cn using the SENSEAUDIO_API_KEY you provide. Only install if you trust that service and its privacy/billing practices before sending sensitive audio. Keep the API key secret, restrict its permissions if possible, and rotate it if you stop using the skill. Verify you are comfortable installing Python packages (requests, pydub) and have ffmpeg available on the host. If you need an offline/local-only workflow, this skill as written will not provide that without modifying the implementation to use a local speech model.
Review Dimensions
- Purpose & Capability
- okThe declared needs (ffmpeg, requests, pydub, and SENSEAUDIO_API_KEY) match the skill's stated purpose of extracting audio and sending it to a transcription API. Requiring an external API key and ffmpeg is expected for this functionality.
- Instruction Scope
- noteInstructions stay within the subtitle/transcription scope: they extract audio with ffmpeg, open the audio file, and POST it to https://api.senseaudio.cn/v1/audio/transcriptions using the SENSEAUDIO_API_KEY. This means user media will be uploaded to a third-party service (privacy/billing implication). There are minor implementation inconsistencies (e.g., the multilingual helper calls transcribe_for_subtitles with parameters that the defined function signature doesn't accept), but nothing that changes the security model.
- Install Mechanism
- okInstall spec requests typical Python packages (requests, pydub) via the uv kind (pip-like). These are common packages; no downloads from untrusted URLs or arbitrary archives are present. Note: pydub depends on ffmpeg being available on the host (declared).
- Credentials
- okOnly one credential is required (SENSEAUDIO_API_KEY), which is proportional to using a hosted transcription API. No unrelated credentials or system config paths are requested.
- Persistence & Privilege
- okSkill is not always-enabled and does not request system-wide persistence or modification of other skills. It does not require elevated or cross-skill privileges.