ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ClawdBites

v0.1.0

Extract recipes from Instagram reels. Use when a user sends an Instagram reel link and wants to get the recipe from the caption. Parses ingredients, instructions, and macros into a clean format.

0· 1.9k·0 current·0 all-time
by@kylelol
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (extract recipes from Instagram reels) matches the required binaries (yt-dlp, ffmpeg, Whisper) and the runtime flow (dump caption, download media, transcribe audio). These tools are appropriate and expected for the stated purpose.
Instruction Scope
The SKILL.md mandates an automatic flow that will download the reel and transcribe audio without asking the user if the caption is incomplete — this is coherent with the goal but is a behavioral choice with privacy implications. The doc also references 'frame analysis' / a vision model for on-screen text but provides no commands, dependencies, or heuristics for that step; that's an incomplete/underspecified part of the instructions.
Install Mechanism
Registry install specs list Homebrew formulas for yt-dlp and ffmpeg (reasonable). The SKILL.md metadata recommends installing Whisper with `pip3 install --user openai-whisper`; that pip install is present in SKILL.md metadata but not in the top-level registry install list—an inconsistency to be aware of. Installing Whisper via pip is a standard approach but has the usual network/install risks of pulling a package from PyPI.
Credentials
No environment variables, tokens, or unrelated credentials are requested. The skill does write/read temporary files (e.g., /tmp/reel.mp4, /tmp/reel.wav) and optionally writes to a local memory file (memory/recipe-wishlist.json) when the user opts in; these file operations are proportional to the described functionality.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or cross-skill privileges. It may write an optional wishlist JSON and uses /tmp for transient files; this is normal and scoped to its purpose.
Assessment
This skill appears coherent with its purpose, but check these before installing: (1) it will download the Instagram reel and transcribe audio locally without asking if the caption is incomplete — consider the user's privacy expectations when sharing links; (2) the SKILL.md references frame-analysis/vision OCR but doesn't declare OCR dependencies or commands—expect that feature may be incomplete or rely on platform vision capabilities; (3) Whisper is installed via pip (network install from PyPI) according to SKILL.md but the registry install list omits it—decide whether you want that pip install to run; (4) temporary media files are written to /tmp and optional wishlist writes to memory/recipe-wishlist.json—verify you are comfortable with local file writes; and (5) Homebrew installs for yt-dlp and ffmpeg are standard and expected. If any of these concerns matter, ask the skill author for clarification (explicit OCR/install steps and an opt-in prompt before downloading/transcribing) or only run the skill in a controlled environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk974bqdvmpp6b0hkpm1jd80x6x800mn0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦞 Clawdis
OSmacOS · Linux
Binsyt-dlp, ffmpeg, whisper

Install

Install yt-dlp via Homebrew
Bins: yt-dlp
brew install yt-dlp
Install ffmpeg via Homebrew
Bins: ffmpeg
brew install ffmpeg

Comments