ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

video-transcript

v1.0.0

将视频链接转换为文字讲稿。支持 YouTube、Bilibili 等平台。自动提取字幕,非中文视频提供原文 + 中文翻译。当用户分享视频链接、要求获取视频文字稿/字幕/讲稿时使用此技能。

0· 201·1 current·1 all-time
by@tupleye
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code's main behavior: extracting subtitles from YouTube/Bilibili and converting SRT to plain text. However SKILL.md promises translation (original + Chinese translation for non-Chinese videos) while transcript.py contains no translation step or calls to a translation API. Also SKILL.md lists 'pip install yt-dlp' but the registry metadata declares no required binary; runtime actually relies on the yt-dlp executable invoked via subprocess.
Instruction Scope
SKILL.md instructions are limited to downloading subtitles with yt-dlp, cleaning timestamps, and returning text. The actual code follows that scope and does not read unrelated files or external environment variables. It does create a workspace under the user's home (~/.openclaw/workspace/video-transcripts) and invokes yt-dlp, which will make network calls to video hosts (expected).
Install Mechanism
There is no automated install spec (instruction-only), which is low-risk. The skill instructs users to pip install yt-dlp; that is a normal dependency but it is not declared in the metadata. Installing yt-dlp pulls a third-party package and gives that tool network access — normal for this use case but the user should install it from a trusted source (PyPI or official releases).
Credentials
The skill requests no environment variables or credentials and the code does not access secrets or unrelated config paths. No disproportionate credential or environment access is requested.
Persistence & Privilege
always:false and user-invocable:true. The skill writes files under a dedicated directory in the user's home; it does not modify other skills or system-wide configs. No elevated persistence or special privileges are requested.
What to consider before installing
This skill appears to genuinely extract existing subtitles and save plain-text transcripts, but it has two practical inconsistencies you should consider before installing: - Translation mismatch: The SKILL.md promises Chinese translations for non-Chinese videos, but the included transcript.py does not perform any translation. If you need translated text, the skill will not provide it as-is. - Missing declared binary dependency: The code uses the yt-dlp executable via subprocess. You must install yt-dlp yourself (follow official sources) for the skill to work; the registry metadata does not declare this runtime binary requirement. Other considerations: - yt-dlp will make network requests to the video host to fetch metadata/subtitles; ensure this is acceptable in your environment. - The script writes files to ~/.openclaw/workspace/video-transcripts. Review or clean that directory as needed. - Installing yt-dlp should be done from trusted channels (PyPI or official releases). If you expect automatic translation, request an updated skill or additional code that calls a trusted translation API and declare any required credentials. If these issues are acceptable (you only need raw subtitle→text extraction), the skill is reasonable to use. If you need the promised translations or a declared dependency list, ask the publisher for a corrected version before trusting it.

Like a lobster shell, security has layers — review code before you run it.

latestvk9719r4sxqyp43s8fz7yj0qgd582p1e0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments