Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
yby6-video-parser
v1.0.2此技能用于解析短视频链接,支持解析抖音、快手、B站等多个主流平台的短视频和图文链接,并能自动提取语音内容转录为文字。适用于需要批量获取视频元数据或将视频内容转为文本的场景时使用此 skill。
⭐ 1· 182·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the included code: many per‑platform parsers, a download/extract/transcribe pipeline, and output to demos/tmp. That capability set reasonably explains the included modules. However, the registry metadata declares no required environment variables or primary credential while the README/SKILL.md and the code clearly expect a SiliconFlow API key for transcription (and optionally an external parse_api_url). This omission in metadata is an incoherence and reduces transparency.
Instruction Scope
SKILL.md and scripts instruct the agent to parse arbitrary share URLs, download remote video files, run ffmpeg locally to extract audio, call an external ASR API (SiliconFlow) with the audio, and write results to demos/ and tmp/. The code also supports using a user‑supplied parse_api_url (an external parsing API). These behaviors are expected for the stated purpose but are broad: they involve network access, file writes, subprocess invocation (ffmpeg), and transmitting audio/URLs to remote services. The skill will read a .env file for secrets even though the registry declared none.
Install Mechanism
There is no automated install step in the skill metadata; it's an instruction+source bundle. The repository contains a requirements.txt (httpx, fake-useragent, requests) and instructs users to pip install them — standard and proportional. No remote download/installation of arbitrary archives or shorteners was found.
Credentials
The skill requires an API key for SiliconFlow (api_key) to perform transcription and reads other optional settings from a .env file (parse_api_url, siliconflow_api_url, auto_cleanup_temp_files). The registry lists no required env vars or primary credential, which is inconsistent. Supplying the API key gives a third‑party service access to audio extracted from any parsed video; parse_api_url (if set) would forward URLs to an arbitrary endpoint. These environment/credential requirements are meaningful and should have been declared in metadata.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system configs. It creates files under tmp/ and demos/ and runs local ffmpeg subprocesses — normal for this functionality. Model invocation is allowed (default) but not combined here with other elevated privileges.
What to consider before installing
This package generally does what it says (parses many short‑video platforms and can transcribe audio), but there are important transparency issues: the repository expects a SiliconFlow API key (and can call an external parse_api_url) even though the registry metadata lists no required credentials. Before installing or entering secrets: 1) Do not provide your SiliconFlow API key unless you trust that service and the skill maintainer; the key will be used to upload audio to SiliconFlow for transcription. 2) Do not set parse_api_url to an untrusted endpoint — that would send share URLs to that server. 3) Run the code in a sandboxed environment if possible: it downloads remote videos, writes files under tmp/ and demos/, and invokes ffmpeg via subprocess. 4) Review the code (scripts/transcribe.py and parser modules) yourself or ask the author to explain why metadata omitted required env vars; request an explicit declaration of required credentials. 5) If you only need parsing (no transcription), you can use parse_video_by_url_sync and avoid supplying an API key to limit outbound data. If you want me to, I can highlight exact lines that read .env, perform network calls, or call SiliconFlow so you can review them quickly.Like a lobster shell, security has layers — review code before you run it.
latestvk979hwc2a29cp8zyqkqmm6jfdd83g4n6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.