ClawHub

WeryAI video tool — subtitle erase

v1.0.0

Remove burnt-in subtitles or on-screen text from an HTTPS video via WeryAI (video-subtitle-erase). Use when the user wants subtitle or text removal, not tran...

1· 64·0 current·0 all-time
byparallel world@zoucdr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implementation: the tool only calls a WeryAI video-subtitle-erase endpoint and requires a single API key (WERYAI_API_KEY) plus Node.js. There are no unrelated credentials, binaries, or config paths requested that would be disproportionate to subtitle/video text removal.
Instruction Scope
SKILL.md explicitly limits inputs to public https:// URLs and optional normalized rectangles, warns against local-file uploads, and requires explicit user confirmation before paid submission. The included script (video_subtitle_erase.js) validates HTTPS URLs, validates rects, reads only WERYAI_API_KEY from env, and performs network calls to api.weryai.com. The visible code does not reference other env vars, local files, or unexpected external endpoints.
Install Mechanism
No install spec is provided (instruction-only with a bundled script), which minimizes install-time risk. The only declared runtime binary is Node (>=18), which is reasonable for the provided JavaScript CLI. Nothing is downloaded or extracted by the skill itself.
Credentials
Only WERYAI_API_KEY is required and designated as the primary credential; the code reads that env var and constructs a Bearer Authorization header. No unrelated SECRET/TOKEN/PASSWORD vars are requested. The SKILL.md and script both state they do not depend on other env vars.
Persistence & Privilege
The skill does not request permanent system presence (always is false), does not modify other skills or global agent config, and contains explicit guidance not to write the API key to disk. Autonomous invocation is allowed (platform default) but not combined with other privileged actions.
Assessment
This package appears coherent with its stated purpose, but take these precautions before installing or running it: 1) Confirm you trust WeryAI and are willing to spend paid credits — the SKILL.md warns that runs are paid and not idempotent. 2) Only pass public https:// video URLs; do not supply local filesystem paths. 3) Verify the package contains only the listed files (SKILL.md, eval.yaml, scripts/video_subtitle_erase.js) and no extra scripts that accept local files or extra env vars. 4) Use the provided 'spec' and '--dry-run' modes to inspect the exact payload before submitting, and keep your WERYAI_API_KEY secret (do not write it to disk). 5) If you need higher assurance, inspect the full (untruncated) script for any hidden endpoints or obfuscated behavior; the portion provided shows only api.weryai.com usage and no other external hosts.
scripts/video_subtitle_erase.js:151
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.

Like a lobster shell, security has layers — review code before you run it.

latestvk976aasbasz8x50f4d1hpy1zbd83hgxc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧹 Clawdis
Binsnode
EnvWERYAI_API_KEY
Primary envWERYAI_API_KEY

Comments