ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

briefing

Automatically track creator channels and transcribe new videos (YouTube, Bilibili, TikTok) with zero token cost during the pipeline. Use memory-based updates...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 278 · 0 current installs · 0 all-time installs
byYutai Gu@YutaiGu
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to run a 'briefing' CLI that tracks channels and transcribes videos. The installer and runtime expectations (Python 3.12, ffmpeg, a launcher that runs main.py) are consistent with that purpose.
!
Instruction Scope
SKILL.md requires executing the briefing CLI via bash and instructs the agent to automatically run the provided install.sh if the binary is missing. That gives the skill the ability to run an installer script automatically at runtime; the script clones a repo and installs/executes code — a wider scope than merely running a local CLI binary.
!
Install Mechanism
install.sh clones a GitHub repo (REPO_URL default), creates a Python venv, pip-installs requirements from the repo, and writes a launcher into /usr/local/bin or ~/.local/bin (using sudo if available). Cloning and pip-installing arbitrary repository code at install time is a moderate-to-high risk action (remote code execution surface). The repo host is GitHub (reasonable), but the script executes code from that repo (main.py) after installation.
Credentials
The skill declares no required credentials or env vars. The installer itself supports overrides (REPO_URL, INSTALL_DIR, BIN_DIR, PYTHON_BIN), which is normal for an installer but means changing env values can redirect the install to other code. No direct exfiltration or credential access is requested by SKILL.md.
Persistence & Privilege
The installer modifies user shell profile files to add the launcher directory to PATH and installs a persistent launcher script in system or user bin. always:false (not force-included), but the installer still makes persistent changes to the user's environment if run.
What to consider before installing
This skill appears to be a wrapper for a third-party CLI and its installer will clone a GitHub repo, install packages with pip, and place an executable in your PATH (possibly using sudo). These behaviors are coherent with a CLI-based transcription tool, but they also let remote code run on your machine. Before installing or allowing the agent to run the install script: 1) Review the repository contents (especially requirements.txt and main.py) to ensure you trust the code and packages being installed. 2) Prefer running install.sh manually in a controlled environment (container, VM, or non-privileged user account) rather than allowing the agent to execute it automatically. 3) Avoid running the installer with sudo unless you understand why system-wide install is needed; use INSTALL_DIR and BIN_DIR to install into a local directory instead. 4) If you do not trust the upstream repo, set REPO_URL to a vetted source or decline installation. 5) If you want to be extra cautious, block or disable commands.bash for autonomous agents so the agent cannot run the installer automatically.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.9
Download zip
latestvk975xyhwcx8wpq67x859ca42t18235t2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📺 Clawdis

SKILL.md

Briefing Operator

This skill operates the briefing CLI tool.

Available Commands

  • Run update pipeline: briefing

  • Add tracking URL: briefing -add <source_url>

  • Delete tracking URL: briefing -delete <source_url>

  • Set config key: briefing -set <KEY> <VALUE>

  • Show config: briefing -show

Execution Rules (Strict)

  1. Bootstrap Check: Before any execution, if the briefing binary is missing from PATH:

    • Check if {skillDir}/install.sh exists.
    • If found, execute bash {skillDir}/install.sh to initialize the environment.
    • If initialization fails or script is missing, report: "briefing CLI not found. Please run the install script manually." and stop.

  2. Bash Tool Requirement: Always execute the CLI command using bash/exec. If bash is disabled, report: "bash tool is disabled. Enable commands.bash=true." and stop.

  3. Absolute Path Fallback: If briefing is not in global PATH, try executing via {skillDir}/briefing (if the installer symlinks it there).

After Running briefing

  1. Parse stdout.

  2. Detect lines matching:

    [WHISPER DONE] <filename>

  3. For each <filename>, read:

    output/<filename>/whisper.txt

  4. Return the extracted whisper content.

  5. If no [WHISPER DONE] appears, report: "No new whisper output generated in this run."

  6. If a whisper file is missing, report the exact missing path.

Fallback

If briefing is not available on PATH:

  • Attempt execution using an absolute path if known.
  • If still unavailable, report and stop.

Do not manually edit config.json. Always use CLI commands.

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…