ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Download Archive

Validate single video URLs, download highest-quality files with yt-dlp, and archive results into a Feishu Bitable using platform tools.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 233 · 2 current installs · 2 all-time installs
by@feiernk
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to validate/ download a single video and archive metadata to a Feishu Bitable, which fits the included code. However the package metadata declares no required binaries or credentials while the script clearly calls yt-dlp, ffprobe and an external helper (YTFETCH = /home/jianhao/.openclaw/workspace/scripts/ytfetch.sh). The omission of these runtime requirements is incoherent and likely to cause unexpected behavior.
!
Instruction Scope
SKILL.md instructs the agent to run scripts/run_video_archive.py and to use the platform's feishu_bitable_app_table_record to write records (not the script). The Python script, however, executes an external script at an absolute path (ytfetch.sh), calls yt-dlp and ffprobe, and prints out a bitable token/table id in its JSON output. These implementation details (external script execution, reliance on local files, and emitting credentials) are not documented in the SKILL.md and enlarge the runtime scope beyond the stated instructions.
Install Mechanism
There is no install spec (instruction-only plus included code), which keeps install risk low. However the code expects external binaries and a helper script to be present on the host filesystem; because these are not provided by the package, the runtime behavior depends on the agent environment and could fail or execute unexpected local scripts.
!
Credentials
The Python file hardcodes BITABLE_APP_TOKEN and BITABLE_TABLE_ID constants (credentials/IDs) instead of declaring them as required env vars or relying solely on the platform's feishu tool. The skill metadata declares no credentials; embedding an app token in code is a red flag (possible secret leakage or misuse). It also accesses user-local paths (~/Downloads and an absolute home/workspace path) which grants it filesystem visibility beyond a minimal need.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) and is not by itself a problem. The skill does read/write local files in ~/Downloads, which is consistent with its stated purpose but should be expected when granting it runtime.
What to consider before installing
This skill appears to do what it claims (download with yt-dlp and record metadata), but there are several mismatches you should resolve before installing or running it: (1) The script requires external binaries (yt-dlp, ffprobe) and an external helper script at a hardcoded path (/home/jianhao/.../ytfetch.sh) that are not declared — verify that helper and binaries and inspect their contents before use. (2) A Feishu app token and table ID are hardcoded into the Python file: confirm whether that token is intended to be public, rotate it if it's yours, or remove it and supply credentials via platform-provided secure variables. (3) The script prints the token/table id in its JSON output — ensure the platform will not leak that output to third parties. (4) Test the skill in a sandboxed environment, request the author to document required runtime dependencies and the purpose/ownership of the embedded token, and ask for the ytfetch.sh source or a version included in the package. Resolving these items (especially verifying the ytfetch helper and the hardcoded token) would reduce risk and could change the assessment.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97bdt8g75ayk254472bxfkcp5830e02

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

When to Use

  • 用户发来单个视频链接,希望自动下载并归档
  • 需要复用既有 yt-dlp 下载规则与元数据补全规则
  • 需要把下载结果写入指定飞书多维表格
  • 需要对已存在文件做补全、核对或补记录,而不是盲目重下

Quick Reference

TopicFile
主流程workflow.md
飞书表字段映射bitable-mapping.md
错误与终止规则error-handling.md
执行脚本scripts/run_video_archive.py
使用说明usage.md

Core Rules

  1. 只处理单个视频链接;不处理播放列表、频道页、多链接批量任务。
  2. 必须先调用 scripts/run_video_archive.py <url> 完成预检、主键生成、本地查重、下载/补全和字段组装。
  3. 主键固定为 站点-视频ID,同时写入“视频主键”和“视频唯一ID”。
  4. 本地归档目录固定为 ~/Downloads/yt-dlp/<上传者目录>/;优先用 @handle 作为上传者目录名。
  5. 默认下载最高质量版本、优先 mkv、保留 .info.json,并沿用现有元数据补全规则。
  6. 下载脚本只负责本地执行与生成 record_fields;飞书写表必须使用平台提供的 feishu_bitable_app_table_record 工具完成。
  7. 写入飞书前若发现字段缺失、字段类型不匹配,或需要新增字段,必须暂停并先询问用户。
  8. 已存在文件时优先补全与补记录,不要因为路径变化就直接重下。

Files

6 total
Select a file
Select a file to preview.

Comments

Loading comments…