Skillv1.0.1

ClawScan security

在线视频转文字稿 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 11, 2026, 7:28 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, instructions, and required tools are consistent with its stated purpose (extracting subtitles and producing .docx transcripts) and do not request unrelated permissions or credentials.
Guidance: This skill appears to be what it claims: it will run yt-dlp (to download subtitles) and Node scripts (to parse SRT and create .docx) on your machine. Before installing/using it: (1) ensure yt-dlp and Node/npm are installed from trusted sources; (2) review and be comfortable with running npm install in the skill's scripts directory (package.json includes the docx dependency); (3) be aware subtitles are downloaded to a temporary directory—check or delete that directory if you have privacy concerns; (4) if no subtitles exist the skill suggests using Whisper, but Whisper is not installed or automated here; and (5) the translation step uses the agent/model (transcripts may be sent to the model for translation), so consider whether you want that content sent to external model endpoints. No credentials are requested by this skill.

Review Dimensions

Purpose & Capability: okName/description (video → transcript → .docx) matches the included scripts (SRT parsing and DOCX generation) and the declared runtime dependencies (yt-dlp, node, npm docx). There are no credentials, platform-specific APIs, or unrelated tools requested.
Instruction Scope: noteSKILL.md stays within scope: it runs yt-dlp to fetch .srt files, parses them locally, optionally translates via the agent/model, and generates .docx with included Node scripts. One minor behavioral note: the doc references Whisper as an alternative if no subtitles exist but does not include Whisper installation or automation — this is a functional omission, not a security issue.
Install Mechanism: okThis is an instruction-only skill with small included Node scripts; there is no download-from-arbitrary-URL step. It asks the user/agent to install yt-dlp and node/docx via standard package managers (pip/npm/winget). Minor inconsistency: make_docx.js header suggests a global `npm install -g docx` while package.json declares a local dependency — benign but slightly inconsistent.
Credentials: okThe skill declares no required environment variables, no credentials, and no config paths. The runtime instructions operate on temporary files and local node/npm packages only, which is proportional to the task.
Persistence & Privilege: okalways is false and the skill does not request persistent agent-wide privileges or modify other skills. It runs only when invoked and does not demand elevated system presence.