ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Byted Las Audio Extract And Split

v1.0.0

Audio extract and split operator. Use this skill when user needs to: - Extract audio from video files (mp4, wmv, etc.) - Split audio into segments of specifi...

0· 63·0 current·0 all-time
by@volcengine-skills
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (audio extract & split) match the implementation: the script posts a process request to an LAS operator and supports TOS input/output and format/split options. The need for an API key is coherent with a remote operator call, but the package metadata incorrectly lists no required env vars.
Instruction Scope
SKILL.md and scripts/skill.py restrict operations to constructing a JSON payload and POSTing to the operator endpoint. The script only reads LAS_API_KEY (from environment or env.sh) and does hostname resolution to prevent private-IP targets; it does not attempt to read unrelated system files or exfiltrate arbitrary data.
Install Mechanism
No install spec or external downloads. The skill is delivered with a Python script and docs; nothing is fetched or extracted at install time.
!
Credentials
The runtime requires LAS_API_KEY (and supports LAS_API_BASE/LAS_REGION overrides), but the registry metadata lists no required env vars — this mismatch is misleading. Requesting a single API key for the remote operator is proportionate, but verify the key's scope and do not store broad credentials in the same env.sh.
Persistence & Privilege
always is false and the skill does not modify other skills or system-wide agent settings. It does not request persistent presence or elevated privileges.
What to consider before installing
This skill appears to be what it claims (it posts a job to an LAS operator to extract and split audio), but the registry metadata incorrectly omits the required LAS_API_KEY. Before installing: 1) Confirm you will provide a LAS_API_KEY with only the minimal permissions needed (do not reuse broad or high-privilege keys). 2) Verify the operator endpoint (default operator.las.cn-beijing.volces.com) is trusted for your data and that your TOS paths point to buckets you control. 3) Avoid setting LAS_API_BASE to an untrusted host (the CLI allows overriding the API base). 4) Use the --dry-run to inspect the request payload and test with non-sensitive files first. If you rely on the registry metadata to audit required secrets, treat its omission of LAS_API_KEY as a metadata bug and correct/confirm the requirement before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk977324ht9h2drm4z6wdrgn0k583kgxt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments