Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Subtitles

v1.4.1

Get subtitles from YouTube videos for translation, language learning, or reading along. Use when the user asks for subtitles, subs, foreign language text, or wants to read video content. Supports multiple languages and timestamped output for sync'd reading.

⭐ 0· 3.4k·6 current·6 all-time

byRohit Das@therohitdas

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description require an API key and a small CLI helper. Declared requirements (node, TRANSCRIPT_API_KEY, ~/.openclaw/openclaw.json) match the included auth script and the documented curl usage against transcriptapi.com.

✓

Instruction Scope

SKILL.md instructs only account registration/verification and calls to TranscriptAPI endpoints. The runtime steps ask for email/OTP, run the included tapi-auth.js script, and save an API key; they do not request unrelated files, credentials, or external endpoints beyond transcriptapi.com.

✓

Install Mechanism

No install spec; this is instruction-only plus a single included Node script. Nothing downloads or writes arbitrary third-party code during install.

ℹ

Credentials

Only TRANSCRIPT_API_KEY is required and is the primary credential — appropriate for this API client. Note: the CLI saves the key into the shared ~/.openclaw/openclaw.json config (and backs it up). That is expected for agent access, but it means the API key is stored in a configuration file accessible by anything that can read that path.

✓

Persistence & Privilege

always is false and the skill only writes/updates its own entry in ~/.openclaw/openclaw.json. The script does not modify other skills or system-wide settings beyond that file.

Assessment

This skill appears to be what it claims: a TranscriptAPI client. Before installing: (1) Confirm you trust transcriptapi.com and read their privacy/billing terms; (2) be aware the signup flow asks for your email and a 6-digit OTP and will store the returned API key in ~/.openclaw/openclaw.json (backed up as .bak) — anyone or any skill with access to that file could read the key; (3) if you prefer, create the API key manually on transcriptapi.com and set TRANSCRIPT_API_KEY yourself instead of using the included script; (4) if the key is ever exposed, revoke it in your TranscriptAPI dashboard.

Like a lobster shell, security has layers — review code before you run it.

latestvk978pyg8bxg1nrcq9t4846qmvh80zswv

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🗨️ Clawdis

Binsnode

EnvTRANSCRIPT_API_KEY

Config~/.openclaw/openclaw.json

Primary envTRANSCRIPT_API_KEY

Subtitles

License

Runtime requirements

Comments