Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Video Subtitle Downloader
v1.0.0Download and convert subtitles from YouTube, Bilibili, and 1000+ platforms into SRT, JSON, or TXT with automatic timestamps and GPU acceleration support.
⭐ 0· 22·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and docs claim GPU-accelerated transcription (faster-whisper), automatic audio -> text transcription, and '1000+ platforms'. The provided Python scripts only call yt-dlp to extract existing subtitles and do not invoke faster-whisper or any transcription pipeline; the only dependency actually checked at runtime is yt-dlp. The marketing claims (GPU transcription, paid tiers) are not reflected in code or runtime requirements.
Instruction Scope
SKILL.md instructs users to pip install yt-dlp and faster-whisper and run the scripts. The scripts themselves only use yt-dlp via subprocess and read a local URL file; they do not access environment variables, external servers beyond what yt-dlp contacts, or other system paths. No broad data-collection or exfiltration behavior is present in the code.
Install Mechanism
There is no install spec in the registry; installation is manual via pip per the README. Recommended packages (yt-dlp, faster-whisper) come from PyPI which is expected. No downloads from obscure URLs or archive extraction are present in the skill files.
Credentials
The skill declares no required environment variables, credentials, or config paths. The code does not attempt to read secrets or unrelated system configuration. This is proportionate to the stated task of downloading subtitles.
Persistence & Privilege
The skill does not request always: true and does not modify other skills or system-wide agent settings. It runs as a normal user-space script and has no elevated persistence requirements.
What to consider before installing
What to consider before installing:
- The code you get is simple: it runs yt-dlp to fetch subtitles and saves converted files. There is no built-in transcription pipeline in the provided scripts despite the README/SKILL.md claiming GPU-accelerated transcription with faster-whisper. If you need audio->text transcription, expect to implement or verify that functionality yourself.
- The skill recommends pip installing faster-whisper (and other heavy packages). Faster-whisper and similar models can download large model files and consume GPU/CPU and disk space; only install them if you trust the source and need that feature.
- yt-dlp will contact the video hosting sites you provide and may download data depending on options. Review yt-dlp behavior and ensure you comply with copyright and site terms.
- There is no network exfiltration in the scripts provided, and no credentials are requested. Still, if the final distribution you install differs from these files (different scripts or additional install steps), re-review for hidden network endpoints, telemetry, or credential use.
- Actionable steps: (1) run the scripts in a controlled environment (sandbox) on sample URLs; (2) inspect/grep any distributed version for calls to faster-whisper or other subprocess/network calls; (3) if you expect transcription/GPU support, request/verify an implementation that actually invokes faster-whisper and documents model downloads and resource needs. If the publisher cannot explain the discrepancy between docs and code, treat the package as untrusted.Like a lobster shell, security has layers — review code before you run it.
automationvk979ar7ph1jap706px1jccna4h846fr7downloadvk979ar7ph1jap706px1jccna4h846fr7latestvk979ar7ph1jap706px1jccna4h846fr7subtitlevk979ar7ph1jap706px1jccna4h846fr7videovk979ar7ph1jap706px1jccna4h846fr7yt-dlpvk979ar7ph1jap706px1jccna4h846fr7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.