Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
subtitle-refiner
v1.0.0智能优化 SRT 字幕,去除语气词并修正 ASR 错误,保持时间戳不变,输出优化文件并发送飞书通知及 token 报告。
⭐ 0· 280·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The description, SKILL.md and code all describe using the SiliconFlow LLM to refine SRT files, so requiring SILICONFLOW_API_KEY is coherent with purpose. However the registry metadata at the top (Required env vars: none) contradicts SKILL.md and the code which expect SILICONFLOW_API_KEY — an inconsistency that should be resolved before trusting the skill.
Instruction Scope
SKILL.md instructs the agent to run scripts/refine.py and to obtain a Feishu chat_id from context and a workspace dir. The script (visible portions) logs full request payloads and the Authorization header (Bearer <API_KEY>) and full response JSON to stderr — this will expose the API key and user's subtitle content in logs. SKILL.md also promises sending files to Feishu but does not declare any Feishu credentials or explain how auth is performed, creating ambiguity about where data and files are sent and what credentials are used.
Install Mechanism
There is no external installer or remote download; the skill is instruction-only with packaged Python scripts. That reduces installer risk. The skill does rely on Python and the requests library (which may need to be present), but no high-risk install URL or archive extraction is present.
Credentials
Requiring SILICONFLOW_API_KEY is proportionate to using SiliconFlow. However: (1) the registry metadata omitted that requirement (incoherent declarations); (2) the script prints the API key to stderr (leaks a secret); and (3) the skill sends output to Feishu but does not declare Feishu credentials/environment variables, so it's unclear what credentials the script will use to post files — this ambiguity plus explicit key-leaking is a privacy/security concern.
Persistence & Privilege
The skill is not set to always:true and does not request system-wide configuration changes. It does include code that will be executed (Python), but it does not request permanent platform privileges in the manifest.
What to consider before installing
Before installing or enabling this skill: 1) Treat SILICONFLOW_API_KEY as required despite the top-level registry metadata omission; do not set a production key until you review/modify the code. 2) Inspect scripts/refine.py completely (the visible portion already prints the Bearer token and entire request/response JSON to stderr) — remove or silence any logging that prints the API key or full response bodies. 3) Verify how Feishu file sending is authenticated (the SKILL.md asks for chat_id but provides no Feishu token variable); confirm there is no hidden upload endpoint or unexpected external recipient. 4) Consider running the skill in an isolated environment with a throwaway API key and without sensitive subtitles to observe behavior. 5) Ask the author to fix the manifest inconsistency (declare required env vars) and to stop logging secrets and full user content. If you cannot confirm these fixes, do not provide real API keys or sensitive files to this skill.Like a lobster shell, security has layers — review code before you run it.
latestvk97b74pfj870e8z1d4r42gxbps82k7nw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.