Skillv1.0.0

ClawScan security

video-transcript · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 3:15 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it says (download and convert embedded subtitles) but there are internal mismatches—most notably SKILL.md promises automatic Chinese translation which the shipped code does not perform, and the runtime dependency on the yt-dlp binary is not declared in metadata—so the package's claims and contents are not fully coherent.
Guidance: This skill appears to genuinely extract existing subtitles and save plain-text transcripts, but it has two practical inconsistencies you should consider before installing: - Translation mismatch: The SKILL.md promises Chinese translations for non-Chinese videos, but the included transcript.py does not perform any translation. If you need translated text, the skill will not provide it as-is. - Missing declared binary dependency: The code uses the yt-dlp executable via subprocess. You must install yt-dlp yourself (follow official sources) for the skill to work; the registry metadata does not declare this runtime binary requirement. Other considerations: - yt-dlp will make network requests to the video host to fetch metadata/subtitles; ensure this is acceptable in your environment. - The script writes files to ~/.openclaw/workspace/video-transcripts. Review or clean that directory as needed. - Installing yt-dlp should be done from trusted channels (PyPI or official releases). If you expect automatic translation, request an updated skill or additional code that calls a trusted translation API and declare any required credentials. If these issues are acceptable (you only need raw subtitle→text extraction), the skill is reasonable to use. If you need the promised translations or a declared dependency list, ask the publisher for a corrected version before trusting it.

Review Dimensions

Purpose & Capability: noteName/description match the code's main behavior: extracting subtitles from YouTube/Bilibili and converting SRT to plain text. However SKILL.md promises translation (original + Chinese translation for non-Chinese videos) while transcript.py contains no translation step or calls to a translation API. Also SKILL.md lists 'pip install yt-dlp' but the registry metadata declares no required binary; runtime actually relies on the yt-dlp executable invoked via subprocess.
Instruction Scope: okSKILL.md instructions are limited to downloading subtitles with yt-dlp, cleaning timestamps, and returning text. The actual code follows that scope and does not read unrelated files or external environment variables. It does create a workspace under the user's home (~/.openclaw/workspace/video-transcripts) and invokes yt-dlp, which will make network calls to video hosts (expected).
Install Mechanism: noteThere is no automated install spec (instruction-only), which is low-risk. The skill instructs users to pip install yt-dlp; that is a normal dependency but it is not declared in the metadata. Installing yt-dlp pulls a third-party package and gives that tool network access — normal for this use case but the user should install it from a trusted source (PyPI or official releases).
Credentials: okThe skill requests no environment variables or credentials and the code does not access secrets or unrelated config paths. No disproportionate credential or environment access is requested.
Persistence & Privilege: okalways:false and user-invocable:true. The skill writes files under a dedicated directory in the user's home; it does not modify other skills or system-wide configs. No elevated persistence or special privileges are requested.