ClawHub

在线视频转文字稿

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill is coherent with its stated purpose, but it does require disclosed local command execution and npm dependency installation to extract subtitles and create DOCX files.

Before installing, make sure you are comfortable with the agent running yt-dlp and Node locally, contacting video platforms for subtitle retrieval, and installing the npm docx dependency. Use trusted video links and check the output paths for generated files.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
Low
What this means

The agent may run local commands and contact external video platforms when you ask it to process a video link.

Why it was flagged

The skill instructs the agent to run shell commands using a user-supplied video URL and generated transcript text. This is purpose-aligned, but it means local command execution is part of normal use.

Skill content
compatibility:\n  tools:\n    - exec ... yt-dlp --skip-download ... "<URL>" ... node "~/.agents/skills/video-transcript/scripts/make_docx.js" ... "<plain_text>"
Recommendation

Use it only for links you intend to process, keep execution limited to temporary/output paths, and prefer piping transcript content or otherwise safely passing arguments rather than embedding raw text in shell strings.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

Installing or first using the skill may pull third-party Node packages onto the local machine.

Why it was flagged

The first-time setup installs an npm dependency for DOCX generation. This is disclosed and relevant to the skill, but it depends on the external npm package supply chain.

Skill content
docx (npm, local)\n      install: "cd ~/.agents/skills/video-transcript/scripts && npm install"
Recommendation

Install dependencies from trusted networks/sources, review package changes if possible, and consider pinning or locking npm dependencies for repeatable installs.