Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Video To Text
v1.0.0Convert video or audio files from URLs into text or subtitle formats using a free API with automatic language detection and no local downloads required.
⭐ 0· 102·0 current·0 all-time
by@sxliuyu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md and metadata emphasize a free, no-local-download, no-API-key Whisper API. The actual code (index.js/tool.js) downloads the provided URL into a temp file and then uploads the file to a third‑party endpoint (CONFIG.primaryApi = https://api.myshell.ai/...). The repository also includes a Python script that supports local Whisper/ffmpeg and AssemblyAI (which requires an API key). Requiring local downloads (to temp) contradicts the 'no local downloads required' claim; presence of multiple fallback mechanisms (some requiring keys) is not explained in the description.
Instruction Scope
Runtime instructions and code will: fetch user-provided URLs, write the content to a temp file, and transmit the file contents to an external service (myshell.ai). That network upload is expected for a transcription skill, but the SKILL.md's phrasing ('no local downloads required') is misleading. The skill will therefore exfiltrate the media to an external third party; SKILL.md does not make clear the privacy/security implications or ownership of that third party. The Python script supports local processing, ffmpeg, and other APIs but these are not required or documented as alternate flows in the top-level description.
Install Mechanism
No install spec (instruction-only) is present, so nothing is installed automatically — lower install risk. However the package includes runnable code (node scripts and a Python script) that invoke external binaries (ffmpeg) and ship network requests; if the user or agent runs the included scripts they need node and possibly Python/ffmpeg/whisper. There is no download-from-suspicious-URL install step, which is good.
Credentials
The skill does not require environment variables or credentials to run the primary path. However the code contains optional branches that reference external services requiring API keys (OpenAI, AssemblyAI) and a local whisper flow which requires Python packages and ffmpeg; those are optional but not clearly documented in SKILL.md as alternative modes. Primary API (myshell.ai) is used without a key — you should verify and trust that endpoint before sending sensitive media.
Persistence & Privilege
The skill does not request persistent/always-on privileges, does not modify other skills, and does not request system-level configuration. It runs as a tool via child process (execSync) which is normal for wrappers, but executing bundled scripts means the agent will run code on the host when invoked.
What to consider before installing
This skill will download the media you provide to a temp file and upload it to an external service (https://api.myshell.ai). That behavior is necessary for remote transcription but contradicts the 'no local downloads' claim in the description and exposes your media to a third party whose privacy policy and trustworthiness are unknown. Before installing or using: (1) avoid sending sensitive or private media to this skill, (2) verify the myshell.ai endpoint and operator and their privacy/retention policies, (3) if you need local-only processing, prefer using the included Python script with a vetted local Whisper/ffmpeg installation (be aware that requires installing software and models), and (4) run the skill in a restricted/sandboxed environment if you must test it. If the misleading description (no local download/no key) is a concern, contact the author or prefer a transcription skill that clearly documents data flow and required credentials.tool.js:40
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk9772hmxaqh3qn96rzcnvjyd0x833hj2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.