ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MAXQDA Timecode Converter

v1.0.0

Convert transcript timecodes from MM:SS format to MAXQDA [hh:mm:ss] format with timecodes before speaker names, removing the first line and overwriting files.

0· 154·0 current·0 all-time
byKANG RUIFU@kiriny1999
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The described purpose (timecode conversion and reordering) matches the provided one-liner and batch examples. However, the metadata says no required binaries, while the instructions rely on perl (and standard shell utilities like mv). The omission of perl from required binaries is an inconsistency.
!
Instruction Scope
Instructions explicitly overwrite original files and remove the first line of each file — a destructive action that should be made explicit in metadata and UI and offer a backup option. The examples reference shell variables ($INPUT_FILE, $TEMP_FILE) and a directory path placeholder without declaring them; users may accidentally run these on the wrong files. There is no remote network activity or credential access in the instructions.
Install Mechanism
This is an instruction-only skill (no install script), which minimizes supply-chain risk. Still, it depends on an interpreter (perl) and standard shell tools; the skill should declare perl as a required binary or provide a fallback implementation in a more commonly available tool (e.g., awk/python) to avoid hidden failures.
Credentials
The skill requests no credentials or environment variables, which is appropriate for a local file conversion task. Minor issue: example uses $INPUT_FILE/$TEMP_FILE placeholders and path strings that are not documented as inputs in the metadata.
Persistence & Privilege
No persistent presence is requested (always:false) and the skill does not request elevated agent privileges. Autonomous invocation is allowed by default but not itself a red flag here.
Scan Findings in Context
[no_regex_findings] expected: The static scanner found nothing — expected because this is an instruction-only skill with no code files for regex analysis. Lack of findings is not evidence of safety.
What to consider before installing
This skill appears to do exactly what it says (convert MM:SS to [hh:mm:ss] and put timecodes before speaker names), but be careful: 1) It relies on perl though the metadata doesn't list perl as required — ensure perl is installed. 2) It overwrites your original files and removes the first line of each file; run it first on copies or add an explicit backup step. 3) Replace the example placeholders ($INPUT_FILE, $TEMP_FILE, /path/to/directory/) with concrete paths and test on a small sample to confirm behaviour (especially for files with different encodings or formats). If you plan to install or allow autonomous runs, ask the author to update the metadata to declare perl as a required binary and to offer a non-destructive mode or explicit backup option.

Like a lobster shell, security has layers — review code before you run it.

latestvk975gpsjhtedvehzhah186gypx832z9s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments