ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

小红书视频下载器

v1.0.0

Download and summarize Xiaohongshu (小红书/RedNote) videos. Produces a full resource pack with video, audio, subtitles, transcript, and AI summary. This skill s...

0· 646·1 current·2 all-time
byHimly@smile7up
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included scripts and SKILL.md: the repo contains a downloader script that wraps yt-dlp and ffmpeg and a transcription script using faster-whisper. Required tools (yt-dlp, ffmpeg, optional faster-whisper) are coherent with downloading video, extracting audio, producing subtitles/transcripts, and generating AI summaries.
Instruction Scope
SKILL.md instructs the agent to call the included Python scripts and to read/write files under ~/Downloads/<video title>/ and reference/summary-prompt.md. The instructions do not ask for other system-wide data or arbitrary network endpoints. Notable: instructions use yt-dlp's --cookies-from-browser to access browser cookies (needed to access authenticated Xiaohongshu content) and list running uv to run the transcription script — both are within scope for downloading/transcribing but are sensitive in practice.
Install Mechanism
There is no automated install spec (instruction-only), which keeps risk low. The scripts expect external dependencies (yt-dlp, ffmpeg, Python packages like faster-whisper). The README/SKILL.md suggest using 'uv' or pip to install dependencies — installing faster-whisper or using 'uv run' may pull packages from PyPI and download model weights, which can be large and arbitrary. This is expected but worth noting for resource and supply-chain considerations.
!
Credentials
The skill requests no environment variables, which is fine, but it relies on yt-dlp's --cookies-from-browser to extract browser cookies to authenticate with Xiaohongshu. Accessing browser cookies is sensitive (may expose session tokens) and is not explicitly declared as a credential in the metadata. While this access is necessary for the stated purpose (download authenticated content), users should understand the privacy/security implications of granting or allowing tools that read browser cookie stores.
Persistence & Privilege
always:false and user-invocable:true. The skill does not request persistent elevated privileges or modify other skills or system-wide configurations. README suggests copying to a local skills directory, but no automated persistent installation is present in the package itself.
Assessment
This skill appears to do what it says: download Xiaohongshu videos and produce transcripts and a Claude-based summary. Before installing or running it, consider the following: - Browser cookies: yt-dlp's --cookies-from-browser will access your browser's cookie store to authenticate. Only use this if you understand/consent to that access and avoid running on a machine with other sensitive logged-in sessions you don't want accessed. - Dependencies & resource use: faster-whisper and model weights are large and may be installed from PyPI. Run in a dedicated Python virtualenv, and be prepared for substantial CPU/RAM/disk usage for transcription. - Run untrusted code safely: inspect the two scripts (they are included and readable) before running. If unsure, run them in an isolated environment (container or throwaway VM) and do not run as root. - Legal/terms: ensure you have the right to download the content and that you comply with Xiaohongshu's terms of service and copyright law. - Inputs: avoid pasting untrusted or malicious URLs; the scripts pass URL arguments directly to yt-dlp but use list-style subprocess calls (not shell), which reduces but does not eliminate risk. If you want greater assurance, ask the publisher for provenance (homepage, author contact) or run the scripts in a sandboxed environment and verify yt-dlp behavior on a test public URL first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bfq8j8q6th9mcmhdrb8dach81j5mb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments