video-to-text Security Report — Suspicious | ClawSafe

45 /100

video-to-text

免费视频转文字 API - 使用免费 Whisper API 将视频/音频转为文字

The skill has significant doc-to-code mismatch with undeclared shell execution via execSync and undeclared filesystem writes, though the underlying functionality appears legitimate for video transcription.

Skill Namevideo-to-text

Duration32.5s

Enginepi

⚠

Use with caution

Update SKILL.md to declare subprocess/execSync usage and filesystem write operations. Consider rewriting tool.js to use safer child_process.spawn() instead of execSync with string joining.

Findings 4 items

Severity	Finding	Location
Medium	Undeclared subprocess execution via execSync tool.js uses child_process.execSync() to execute shell commands but SKILL.md only declares the tool interface without mentioning this implementation detail. `const output = execSync(args.join(' '), { encoding: 'utf-8', maxBuffer: 10 * 1024 * 1024, timeout: 300000 });` → Declare shell:WRITE capability in _meta.json tools section, or refactor to use child_process.spawn() with explicit argument arrays to avoid string injection risk.	`tool.js:24`
Medium	Command injection risk pattern The execSync(args.join(' ')) pattern joins array elements into a single string before execution. While currently safe (URLs are passed as separate array items), this pattern is fragile and could become exploitable if parameters are modified. `const output = execSync(args.join(' '), {...});` → Use child_process.spawn() with explicit argument array instead of execSync with string joining.	`tool.js:24`
Low	Undeclared filesystem write to temp directory index.js downloads files to os.tmpdir() using fs.createWriteStream but this filesystem:WRITE usage is not declared in SKILL.md. const tempFile = path.join(tmpDir, `video-to-text-${Date.now()}${ext}`); → Add filesystem:WRITE to declared capabilities in _meta.json or document this behavior in SKILL.md.	`index.js:44`
Low	Hidden credential parameter in Python script scripts/video2text.py accepts --api-key parameter for AssemblyAI but this capability is not documented in SKILL.md. `p_conv.add_argument('--api-key', help='API Key (AssemblyAI)')` → Document API key support in SKILL.md or remove if not needed.	`scripts/video2text.py:64`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	SKILL.md mentions API calls to api.myshell.ai and api.openai.com
Shell	`NONE`	`WRITE`	✗ Violation	tool.js:24 - execSync(args.join(' '))
Filesystem	`NONE`	`WRITE`	✗ Violation	index.js:44 - fs.createWriteStream(tempFile), index.js:103 - fs.unlink()
Environment	`NONE`	`NONE`	—	No os.environ access detected

4 findings

🔗

Medium External URL 外部 URL

https://api.myshell.ai/v1/audio/transcriptions

SKILL.md:53

🔗

Medium External URL 外部 URL

https://api.assemblyai.com/v2/upload

scripts/video2text.py:49

🔗

Medium External URL 外部 URL

https://api.assemblyai.com/v2/transcript

scripts/video2text.py:58

🔗

Medium External URL 外部 URL

https://api.assemblyai.com/v2/transcript/

scripts/video2text.py:69

File Tree

6 files · 16.3 KB · 602 lines

JavaScript 2f · 328L Python 1f · 141L JSON 2f · 70L Markdown 1f · 63L

├─ ▾ 📁 scripts

│ └─ 🐍 video2text.py Python 141L · 4.3 KB

├─ 📋 _meta.json JSON 50L · 1.3 KB

├─ 📜 index.js JavaScript 252L · 6.9 KB

├─ 📋 package.json JSON 20L · 414 B

├─ 📝 SKILL.md Markdown 63L · 1.7 KB

└─ 📜 tool.js JavaScript 76L · 1.7 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`node`	`system`	system	No	Required runtime, no vulnerability scanning applicable

Security Positives

✓ No evidence of credential exfiltration or data theft

✓ No base64-encoded payloads or obfuscated code

✓ No attempts to access ~/.ssh, ~/.aws, or other sensitive paths

✓ No curl|bash remote script execution

✓ No hidden instructions in comments or HTML

✓ Legitimate video transcription functionality with documented API endpoints

✓ Proper file cleanup after processing (fs.unlink)

Scan Report

Findings 4 items

File Tree

Dependencies 1 items

Security Positives