ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Youtube Editor

v1.0.14

Automate YouTube video editing: download videos, transcribe with Whisper, analyze content using GPT-4, and create Korean SEO-optimized metadata plus consiste...

0· 2.5k·0 current·1 all-time
by@jeong-wooseok
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and the included script clearly require an OpenAI API key (OPENAI_API_KEY) and optionally NANO_BANANA_KEY for image generation; however the registry metadata lists no required environment variables or binaries. The skill also requires FFmpeg and optional Python packages (playwright, rembg), which are declared only in SKILL.md/script comments, not in registry metadata. These mismatches mean the skill's declared requirements in the registry are incomplete/untrustworthy.
Instruction Scope
The runtime instructions and script stay within the advertised purpose: downloading video or using a local file, extracting audio, transcribing with Whisper, analyzing with GPT, and rendering thumbnails. Notable scope items: it executes subprocesses (ffmpeg, uv run), reads user-provided avatar/font files, writes transcripts/thumbnails to the working directory, and will execute a separate skill script if nano-banana-pro is present. The script includes URL validation to block localhost/private IPs and HTML-escapes text before embedding in HTML, which is good. Cross-skill execution (uv run of a script in another skill) expands the attack surface and should be reviewed before use.
Install Mechanism
There is no install spec (instruction-only skill with one script file). That reduces supply-chain risk because nothing is auto-downloaded or written during install. The script expects system packages (ffmpeg) and Python libs but does not fetch arbitrary remote archives.
!
Credentials
At runtime the script requires OPENAI_API_KEY (mandatory) and optionally NANO_BANANA_KEY. The registry metadata, however, declared no required env vars — a clear inconsistency. The requested credentials are proportional to the feature set (Whisper/GPT + optional image API), but the registry omission is a red flag: the agent may be installed without communicating that it will need your OpenAI key. The skill does not request unrelated secrets, but you should confirm before providing keys.
Persistence & Privilege
The skill does not request 'always: true' or otherwise demand permanent, forced inclusion. It does not modify other skills' configs. Its ability to call another skill's script increases blast radius only if that other skill is present; by default it only runs when invoked and only if nano-banana-pro is installed.
What to consider before installing
Before installing or running this skill: 1) Expect to provide your OPENAI_API_KEY (required for transcription and GPT). The registry metadata does not declare this — the discrepancy is suspicious. 2) Install FFmpeg and the optional Python dependencies (playwright, rembg) if you want thumbnails. 3) The skill can call a separate nano-banana-pro script via fixed paths; only allow that if you trust the nano-banana-pro skill source (review its code). 4) The script writes files (transcripts, HTML, PNG) and reads your avatar/font files — don’t run it on machines with sensitive local data unless you audited the script. 5) If you’re not comfortable auditing the code or the external nano-banana-pro skill, treat this as untrusted and do not provide API keys or run on private videos. If you want higher assurance, ask the author to update the registry metadata to declare required env vars and system dependencies and to document exactly which external scripts it will execute.

Like a lobster shell, security has layers — review code before you run it.

latestvk971a5jc1b9krqr44wk0t0z9z980yykr
2.5kdownloads
0stars
14versions
Updated 19h ago
v1.0.14
MIT-0
@jeong-wooseok
latest
Download

🎬 YouTube AI Editor (v1.0.14)

⚠️ Security Notice

This skill may trigger security warnings due to legitimate automation features:

Required Capabilities:

  • API Keys: Requires OPENAI_API_KEY (mandatory for Whisper/GPT-4) and NANO_BANANA_KEY (optional for AI image generation)
  • Subprocess Execution: Uses ffmpeg for video processing (standard video editing tool)
  • Cross-Skill Integration: Calls nano-banana-pro skill for AI image generation (optional feature)
    • Only executes if nano-banana-pro is installed by user
    • Uses fixed script path resolution with timeout protection
  • File I/O: Reads user-specified avatar/font files and writes output files (thumbnails, transcripts) to working directory

Security Measures:

  • YouTube URL validation (blocks localhost/private IPs)
  • HTML-escaped text rendering
  • Subprocess timeouts (900s max)
  • Fixed script paths (no arbitrary code execution)

All code is open source and auditable. Review nano-banana-pro separately if using image generation features.

Turn raw videos into YouTube-ready content in minutes.

This skill automates the boring parts of video production, now with Full Korean Support and Consistent Character Generation!

✨ Features

  • 📥 Universal Download: Supports YouTube URLs and local video files.
  • 🗣️ Auto-Subtitles: Generates accurate .srt subtitles using OpenAI Whisper.
  • 🧠 Content Analysis: Uses GPT-4 to create Korean SEO-optimized Titles, Descriptions, and Tags.
  • 🎨 AI Thumbnails (Pro):
    • Consistent Character: Maintains the style of your avatar (or the default Pirate Lobster) while generating new poses! (Image-to-Image)
    • Custom Fonts: Paperlogy ExtraBold included.
    • Background Removal: Automatically removes background from the generated character.
    • Layout: Professional Black & Gold design.
  • 🛡️ Security Hardening (v1.0.11):
    • YouTube URL allowlist validation (blocks localhost/private-network targets)
    • HTML-escaped text rendering in thumbnail templates
    • Safer fixed Nano Banana script resolution + subprocess timeout

🛠️ Dependencies

1. System Tools

Requires FFmpeg (install via your package manager).

2. Python Packages (optional)

For advanced thumbnail features, install:

  • playwright + rembg[cpu]

3. API Keys (environment variables)

Set these before running:

  • OPENAI_API_KEY - For Whisper & GPT-4
  • NANO_BANANA_KEY - For AI character generation

🚀 Usage

Option 1: Fully Automated (Pirate Lobster Mode)

The AI will generate a Pirate Lobster character doing something related to your video, while keeping the original character design consistent.

# Run from skills/youtube-editor/
uv run scripts/process_video.py --url "https://youtube.com/watch?v=YOUR_VIDEO_ID"

Option 2: Custom Branding (Your Face)

Use your own photo as the base avatar. The AI will generate "You" doing different actions!

uv run scripts/process_video.py \
  --input "video.mp4" \
  --author "My Awesome Channel" \
  --avatar "/path/to/my_face.jpg"

Created by Flux (OpenClaw Agent)

Comments

Loading comments...