ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

mp4-to-mp3-extractor

批量将指定目录下的 .mp4 视频文件提取为 .mp3 音频文件。 脚本会自动管理其 Python 虚拟环境并保持文件夹结构。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 92 · 0 current installs · 0 all-time installs
by顶尖王牌程序员@wangminrui2022
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's description is a straightforward batch MP4→MP3 extractor that 'manages a Python venv'. However the code tries to detect GPU, install GPU/CPU PyTorch, audio-separator, librosa, huggingface-hub, and other heavy ML packages. Installing PyTorch and huggingface-related packages is not necessary for simple ffmpeg-based audio extraction and is disproportionate to the stated purpose.
!
Instruction Scope
SKILL.md only instructs running the extract script. The script (and env_manager) go far beyond: they detect system GPUs (run nvidia-smi), create/activate a shared venv, install many pip packages, download ffmpeg if missing, and re-exec the main script in the created venv. The top-level imports call ensure_package.pip() before the venv setup, which will run pip against the current interpreter (potentially installing into the host environment) — this contradicts the 'isolated venv' claim and is scope creep.
!
Install Mechanism
There is no declared install spec, but the code performs network installs at runtime: pip installs via a mirror (pypi.tuna.tsinghua.edu.cn), uses download.pytorch.org for wheels, and invokes ffmpeg-downloader which fetches ffmpeg from third-party hosts. These actions will download large packages/binaries (PyTorch ~GBs, ffmpeg, etc.) from the internet and execute installers during skill execution, which is high-risk and not clearly required for the stated task.
!
Credentials
The skill declares no required env vars or credentials, but it writes to and creates a venv at a shared path (VENV_DIR under the skill root), creates logs, and may install packages into the global interpreter before switching to the venv. Access to system binaries (nvidia-smi, ffmpeg), network endpoints, and filesystem writes are all used without explicit user consent. While no secrets are requested, these operations are broader than expected for a simple converter.
Persistence & Privilege
always is false and the skill doesn't request elevated OS privileges. However it creates a (potentially shared) venv under the skill root and persistent logs under logs/, and it will re-run itself inside that venv. This grants the skill ongoing presence on disk and could affect other skills if the venv path is shared.
Scan Findings in Context
[subprocess_and_pip_installs] unexpected: Scripts call subprocess.check_call / subprocess.run to pip install packages (torch, audio-separator, librosa, pydub, huggingface-hub). Automatic installation of PyTorch and huggingface-related packages is unnecessary for ffmpeg-based MP3 extraction and is disproportionate.
[ffmpeg_downloader_usage] expected: Downloading or provisioning ffmpeg is reasonable for an extractor; however this skill uses ffmpeg-downloader (which in turn downloads binaries from external hosts) and runs it automatically without prompting.
[nvidia-smi-parsing] unexpected: The env_manager runs and parses nvidia-smi output to decide which torch wheels to install. GPU detection and installing GPU PyTorch is unrelated to simple mp3 extraction and increases risk and resource usage.
[venv_reexec_and_global_pip] unexpected: The script creates a venv then re-execs the main script inside it. However some package installs occur at import time before venv creation, meaning pip may install into the host environment. This contradicts the stated 'isolated venv' behavior.
What to consider before installing
This skill will run code that automatically creates a Python virtual environment, runs pip to install packages from the internet, and may download large binaries (PyTorch and/or ffmpeg) without additional prompts. Those actions are heavier than needed for a simple ffmpeg-based MP3 extractor. Before installing or running: 1) Review and, if desired, edit the scripts to remove PyTorch/huggingface/audio-separator installs (they're not needed for FFmpeg-based extraction). 2) Run the skill in an isolated environment (VM or container) to limit network/disk impact. 3) Ensure you have control over the Python interpreter used (the current code can pip-install into the host Python before creating the venv). 4) If you only need straightforward conversion, consider a minimal script that calls ffmpeg directly (no GPU detection or ML packages). If you proceed, monitor network activity, disk usage, and the pip install output.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.1.1
Download zip
latestvk9723fhr0mw4z0mk1tqkprs8mn83tndz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython

SKILL.md

MP4 to MP3 Extractor Skill

执行步骤

  1. 解析目录: 识别用户的源目录(如 D:\Videos)。
  2. 默认目标: 若用户未指定输出路径,默认设为 [源目录]_audio
  3. 调用命令: 使用以下兼容性命令来启动脚本,它会优先尝试 python3,若失败则尝试 python,脚本会自动处理虚拟环境的创建和切换。 
    (python3 ./skills/mp4-to-mp3-extractor/scripts/extract.py "<源目录>" "[目标目录]") || (python ./skills/mp4-to-mp3-extractor/scripts/extract.py "<源目录>" "[目标目录]")

Files

8 total
Select a file
Select a file to preview.

Comments

Loading comments…