Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
视频字幕提取与总结(B站+抖音+YouTube+小红书)
v3.2.0This skill should be used when the user shares a video link (Bilibili/B站, Douyin/抖音, YouTube, Xiaohongshu/小红书) and asks to extract subtitles, summarize the v...
⭐ 1· 71·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description align with the included scripts: the code implements fetching/downloading videos, extracting audio, ASR, subtitle management, danmaku analysis and frame extraction for Bilibili/Douyin/YouTube/Xiaohongshu and local files. However the registry metadata declares no required binaries or env vars even though scripts rely heavily on external tools (yt-dlp, ffmpeg/ffprobe, ffprobe, and optional ASR frameworks like FunASR/Whisper/ModelScope and their Python dependencies). This mismatch suggests sloppy packaging or incomplete metadata — the declared requirements are not proportional to what the skill actually needs.
Instruction Scope
SKILL.md and the scripts keep scope to video subtitle extraction, summarization and related analyses. The instructions explicitly tell the agent to run the provided scripts (pipeline.py, video_fetcher.py, speech_to_text.py, etc.) and to use ASR or API subtitles, which is coherent. One notable instruction asks the agent to 'utilize its own knowledge base' to research video authors/figures for credibility—this may cause the agent to perform additional web lookups or use external knowledge resources beyond the video platforms. The skill reads and writes files under ~/.workbuddy/skills/.../cache and uses local model downloads; the docs instruct running subprocesses and downloading data, which is expected for this use case but broad in network and disk activity.
Install Mechanism
There is no install spec (instruction-only metadata), which reduces package-install risk. However the code invokes and depends on external command-line tools (yt-dlp, ffmpeg/ffprobe) and Python packages (funasr, modelscope, whisper, torch, etc.). Some ASR models (FunASR) are noted to download ~1GB or more on first run. That means runtime will fetch large artifacts from upstream sources; while expected for ASR, the metadata does not declare this. No suspicious third-party download URLs are hard-coded, but the runtime will execute subprocesses that perform network downloads.
Credentials
The skill does not declare or require any environment variables or credentials. The code accesses public platform APIs (Bilibili endpoints) and uses yt-dlp to download media; some videos/subtitles may require user login to access, but the skill does not request or store credentials. Overall, requested environment/credential scope is proportionate to its purpose. Note: lack of a declared credential for optional auth-required flows (e.g., private Bilibili subtitles) means those cases may fail rather than silently use credentials.
Persistence & Privilege
The skill stores outputs and a small database under ~/.workbuddy/skills/bilibili-summarizer/cache and subtitles.json. It does not request always:true or attempt to alter other skills' configurations. It will download and persist large ASR models and media files in its cache directory, so disk usage can grow substantially; this is persistent but limited to the skill's own directory.
What to consider before installing
This skill appears to implement the advertised subtitle extraction and summarization features, but there are important practical and security points to check before installing:
- Dependencies: The metadata claims no required binaries, but the scripts require yt-dlp, ffmpeg/ffprobe, and optional Python packages (funasr, modelscope, whisper, torch/torchaudio). Expect to install these manually or the scripts will fail. Confirm you want those tools on your system.
- Large downloads: FunASR/ASR models and Whisper can download hundreds of MBs to multiple GBs on first run. Ensure you have bandwidth and disk space and be prepared for sizeable model/data downloads.
- Network activity: The tool will make outgoing HTTP(S) requests to video platforms (bilibili, api.bilibili.com, youtube via yt-dlp, xiaohongshu, douyin) and will download media. If you must restrict network access, run the skill in an isolated environment.
- Persistent files: Outputs and a subtitles DB are written to ~/.workbuddy/skills/bilibili-summarizer/cache and subtitles.json; review that directory and set disk quotas or cleanup policies as needed.
- No credentials requested: The skill does not ask for API keys, but some subtitle or private-video access might require login; the skill does not securely handle credentials. Avoid supplying platform credentials unless you audit the code and understand where they would be stored/used.
- Review code before running: The repository is not obfuscated and network calls are visible (yt-dlp, urllib to platform APIs). If you rely on least privilege, run the scripts in a sandbox/container first to observe behavior.
If you decide to proceed: run in a controlled environment (container or VM), inspect the cache paths and subprocess usage, and be mindful of model downloads and disk usage. If you prefer not to trust the skill's implicit network/disk actions, consider a hosted or audited alternative.Like a lobster shell, security has layers — review code before you run it.
bilibilivk97ba6c7nrcn5yhbq95jz62hkx841hzadanmakuvk97ba6c7nrcn5yhbq95jz62hkx841hzadiarizevk97ba6c7nrcn5yhbq95jz62hkx841hzadouyinvk97ba6c7nrcn5yhbq95jz62hkx841hzalatestvk97ba6c7nrcn5yhbq95jz62hkx841hzaspeech-recognitionvk97ba6c7nrcn5yhbq95jz62hkx841hzasubtitlevk97ba6c7nrcn5yhbq95jz62hkx841hzatranscriptionvk97ba6c7nrcn5yhbq95jz62hkx841hzavideo-summaryvk97ba6c7nrcn5yhbq95jz62hkx841hzaxiaohongshuvk97ba6c7nrcn5yhbq95jz62hkx841hzayoutubevk97ba6c7nrcn5yhbq95jz62hkx841hza
License
MIT-0
Free to use, modify, and redistribute. No attribution required.