ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Short Video Parser

v2.0.0

此技能用于解析短视频链接,支持解析抖音、快手、B站等多个主流平台的短视频和图文链接,并能自动提取语音内容转录为文字。适用于需要批量获取视频元数据或将视频内容转为文本的场景时使用此 skill。

1· 181·0 current·0 all-time
by@yangbuyiya
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description (video parsing + transcription) matches the included code: many platform parsers, video download, ffmpeg audio extraction, and a transcription flow that posts audio to SiliconFlow. However the registry metadata declares no required env vars or binaries, while SKILL.md and the code clearly expect ffmpeg and a SiliconFlow API key (.env / transcribe.py). That mismatch is unexpected and reduces confidence in the packaging.
Instruction Scope
SKILL.md and the scripts instruct the agent to: parse share URLs (many platforms), download video files, write temporary files under tmp/, call ffmpeg via subprocess to extract audio, and POST the audio to SiliconFlow's transcription API (default https://api.siliconflow.cn). These operations are coherent with the stated purpose. They do involve writing files to disk and transmitting audio to an external service; the README warns about network/API limits. The instructions do not request unrelated system secrets, but they do read a local .env file for configuration (api_key, parse_api_url, auto_cleanup).
Install Mechanism
There is no install spec (instruction-only in registry), yet the skill bundle contains many Python source files and a requirements.txt. This is not necessarily malicious but means the package supplies executable code that will run if the agent executes those scripts. No remote download/install URLs were used in the install spec (lowest installer risk), but the presence of executable code in the bundle increases the runtime surface that will execute HTTP requests and subprocess calls.
!
Credentials
The code and SKILL.md require or strongly expect a SiliconFlow API key and ffmpeg. Registry metadata lists no required env vars or binaries — an inconsistency. The only sensitive credential referenced is the SiliconFlow bearer token used to upload audio; that is directly related to transcription and is proportionate to the feature, but it is not declared in the registry. The optional parse_api_url can point to an external parser endpoint (which would cause parse requests to be sent there), so supplying that URL gives the skill ability to send share URLs to a third party.
Persistence & Privilege
The skill does not request permanent platform-wide presence (always:false) and does not attempt to modify other skills or system-wide settings. It writes temporary files and outputs reports to demos/ and tmp/ directories (expected for this functionality). The code will execute ffmpeg as a subprocess — normal for audio extraction but note subprocess invocation is present.
What to consider before installing
This package implements exactly the parsing and transcription behavior it advertises, but the registry metadata is incomplete and there are privacy implications you should consider before installing: - The transcribe flow uploads extracted audio to SiliconFlow (Bearer token from .env or --api_key). If you provide that API key the skill will send your audio to a third‑party service. If you don't want audio uploaded, do not provide the API key or avoid running the transcription step. - SKILL.md and scripts require ffmpeg on PATH (used via subprocess). The registry does not declare this requirement — install ffmpeg if you plan to transcribe. - The code downloads videos and stores them in tmp/ and writes Markdown reports to demos/. If you enable auto_cleanup=false or omit cleanup, media files are retained on disk. - The optional parse_api_url allows using an external parsing API; setting it causes your share URLs to be sent to that endpoint — only set it to a URL you trust. - Packaging mismatch: registry metadata not declaring required env vars/binaries is a red flag (sloppy or incomplete packaging). Prefer to inspect/run the code in a sandbox or VM first. Review .env and scripts/transcribe.py to confirm endpoints and remove or replace the external transcription endpoint if needed. Recommended actions before use: inspect the code locally, run in an isolated environment, avoid supplying API keys you don't trust, and consider building a local/no‑upload transcription path if you need to protect sensitive content.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c9s2n7ef9cd9xw79xrvtceh83g3er

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Environment variables
SILICONFLOW_API_KEY (Optional, transcription is required and mandatory)required
parse_api_url (optional)required

Comments