ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

videomp3word MCP

v2.0.3

Structured knowledge extraction MCP server for ClawHub/OpenClaw. Converts remote media URLs into summary, topics, action items, Q&A, flashcards, entities, co...

0· 192·0 current·0 all-time
by@shuyuew1991

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for shuyuew1991/videomp3word-mcp.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "videomp3word MCP" (shuyuew1991/videomp3word-mcp) from ClawHub.
Skill page: https://clawhub.ai/shuyuew1991/videomp3word-mcp
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install videomp3word-mcp

ClawHub CLI

Package manager switcher

npx clawhub@latest install videomp3word-mcp
Security Scan
Capability signals
CryptoRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The code and SKILL.md implement a server that ingests remote media URLs, calls an upstream transcription service and a knowledge-model endpoint, and returns structured JSON — exactly as the description says. Requested items like VIDEOMP3WORD_SESSION_COOKIE, optional model API keys, and MONGO_URI are coherent with that purpose. However, the registry summary claims no required env vars while package.json and src/config.ts enforce a required VIDEOMP3WORD_SESSION_COOKIE; this metadata mismatch is noteworthy and may mislead users about what credentials are needed.
Instruction Scope
Runtime instructions are explicit: build and run the server, provide the upstream session cookie and optionally model/API and DB settings. The SKILL.md and README clearly state that transcript text, chunks, and media URLs are sent to upstream transcription and model endpoints, and they advise auditing those endpoints. The instructions do not instruct access to unrelated local files or other credentials.
Install Mechanism
There is no automated download/install in the registry entry (manual npm build/start is required). The bundle includes full TypeScript source and a standard package.json; dependencies are from npm (express, mongodb, zod, and a modelcontext sdk). Nothing is fetched from obscure/personal URLs nor is there an extract-from-URL install step in the metadata.
!
Credentials
The server requires a sensitive upstream session cookie (VIDEOMP3WORD_SESSION_COOKIE) and can be configured with knowledge model API keys and a MongoDB URI. Those are proportionate to the declared functionality, but they are sensitive: the required session cookie is effectively a credential for a third-party transcription service and should come from a dedicated account. Additionally, the default knowledge model base is set to https://dashscope.aliyuncs.com/compatible-mode/v1 (non-obvious third-party endpoint) which may surprise deployers who expect OpenAI or a different provider. Finally, the registry-level metadata claimed no required env vars while package.json marks the session cookie as required — this mismatch increases risk of accidental credential exposure by users who assume no secrets are needed.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills. It runs as a standalone HTTP / MCP server (binds host/port, default 0.0.0.0:3000) and can persist to MongoDB if MONGO_URI is provided. That persistence capability is expected for this product; ensure you do not expose the service publicly without configuring MCP_ACCESS_KEYS (the code enforces requiring access keys in production).
What to consider before installing
This package is mostly coherent with its stated purpose, but proceed cautiously: - Expect to provide a sensitive upstream credential (VIDEOMP3WORD_SESSION_COOKIE). Use a dedicated upstream account and never reuse personal credentials. The registry listing incorrectly stated 'no required env vars' even though the package enforces this cookie — don't rely on registry metadata alone. - The default knowledge model endpoint is dashscope.aliyuncs.com (an Aliyun-compatible endpoint). If you need data to remain within trusted providers, override KNOWLEDGE_MODEL_API_BASE and KNOWLEDGE_MODEL_API_KEY or disable model forwarding. - Audit the upstream transcription service and model endpoint before sending transcripts or media URLs — transcripts and media URLs will be transmitted to those services. - If you deploy this server publicly, set MCP_ACCESS_KEYS and run behind a firewall / internal network. In production NODE_ENV the server will refuse to start without access keys according to the code; still verify your deployment defaults (host/port) and CORS settings. - If you need persistent storage, provide a MONGO_URI that you control; otherwise the server will use in-memory storage (development). Review stored artifacts if you have privacy concerns. - Because package metadata and SKILL.md disagree about required env vars, review src/config.ts and package.json directly (they govern runtime behavior) before installing. If you are not comfortable providing the upstream session cookie or exposing transcripts to external model APIs, do not install or run this service in your environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk974gnrtd6kgw8nqzaytw5htz1855syc
192downloads
0stars
17versions
Updated 1w ago
v2.0.3
MIT-0
@shuyuew1991
latest
Download

Videomp3word Structured Knowledge Engine

Use this MCP server when the task is to turn a remote audio or video URL into structured, reusable knowledge for downstream products or automations.

Primary Tool

  • video_to_knowledge

Inputs:

  • media_url
  • outputs: any combination of summary, qa, flashcards, tasks, topics
  • mode: fast, balanced, or high_accuracy

Outputs include:

  • summary
  • topics
  • key points
  • action items
  • Q&A pairs
  • flashcards
  • entities
  • confidence scores
  • workflow trace with models and chunk references

Positioning

Prefer this server when an agent needs:

  • one task-oriented MCP call instead of many small tools
  • structured JSON for automations
  • traceability for enterprise workflows
  • export-ready artifacts for markdown or Notion
  • cacheable processing with persistent resources
  • ClawHub-compatible stdio support

Notes

  • The server keeps a single high-level MCP tool to stay commercially productized and easier to publish.
  • The upstream session cookie is sensitive and should come from a dedicated account.
  • Transcript text, chunk context, and media URLs are sent to the configured upstream transcription service and, when enabled, to the configured knowledge model endpoint. Audit and trust those endpoints before deployment.
  • Installation is manual for this bundle: run npm install, npm run build, and npm start or launch node dist/index.js stdio.
  • The default knowledge-model base matches the original videomp3word deployment and points to DashScope-compatible OpenAI APIs unless you override KNOWLEDGE_MODEL_API_BASE.
  • Non-local VIDEOMP3WORD_BASE_URL and KNOWLEDGE_MODEL_API_BASE values should use HTTPS because credential-bearing requests are sent to those services.
  • Configure MCP_ACCESS_KEYS before exposing the server publicly.

Comments

Loading comments...