← Back to Skills Marketplace

Video Analyzer

Name: Video Analyzer
Author: minilozio

by minilozio · GitHub ↗ · v1.0.1

cross-platform ⚠ suspicious

757

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install video-analyzer-skill

Description

Download, transcribe, and analyze videos from YouTube, X/Twitter, and TikTok with local Whisper processing. Perfect for extracting TL;DRs, timestamps, and ac...

Usage Guidance

This skill appears to do exactly what it says: download videos, transcribe locally with whisper-cpp, and produce timestamped transcripts. Before installing, consider: 1) It will install Homebrew packages and download Whisper models (the 'max' model is ~3GB) to /opt/homebrew/share/whisper-cpp — ensure you have disk space. 2) The script writes to /tmp and your Desktop (downloaded media), so expect files on disk. 3) The code runs shell commands via subprocess with formatted strings; while it attempts basic quoting for URLs, avoid passing untrusted or crafted inputs (especially odd --lang values) — review the script if you plan to run it in a security-sensitive environment. 4) The skill does not ask for API keys or try to send transcripts to external endpoints (only model downloads from huggingface and media fetches from the video host), but if you need stronger guarantees, run it in a sandbox or inspect/modify the script to use subprocess calls without shell=True (list form) and stricter input validation. If those trade-offs are acceptable, the skill is coherent and implementationally reasonable.

Capability Analysis

Type: OpenClaw Skill Name: video-analyzer-skill Version: 1.0.1 The skill contains a shell injection vulnerability in `scripts/analyze_video.py` due to the use of `subprocess.run(shell=True)` combined with insufficient input sanitization in the `quote_url` function. A crafted URL containing single quotes and command separators (e.g., `'; touch /tmp/pwned; '`) could lead to arbitrary command execution. While the skill's behavior of downloading videos and fetching models from Hugging Face (`huggingface.co`) aligns with its stated purpose, these high-risk capabilities and the underlying implementation flaw warrant a suspicious classification.

Capability Assessment

✓ Purpose & Capability

Name/description request downloading and local Whisper transcription; required binaries (yt-dlp, ffmpeg, whisper-cli) and the included Python script directly implement that functionality. Homebrew install entries correspond to the declared tools and are proportionate.

ℹ Instruction Scope

SKILL.md instructs the agent to run the included script and to read the transcript file it produces — this matches the skill purpose. The script writes files to /tmp, the user's Desktop, and (when models are first downloaded) /opt/homebrew/share/whisper-cpp. One coding concern: the script uses subprocess.run(..., shell=True) with formatted command strings. It attempts to escape single quotes in URLs but does not perform comprehensive sanitization of other user-supplied parameters (e.g., --lang). This is a practical safety note (possible shell-injection vector if malicious input is passed), not an incoherence with the described purpose.

✓ Install Mechanism

Install spec uses Homebrew formulas (uv, yt-dlp, ffmpeg, ggerganov/whisper-cpp). These are expected for local transcription; model downloads use curl from Hugging Face (WHISPER_BASE_URL) which is a reasonable, known host. The large 'max' model may require several GB of disk and time to download — expected behaviour, not malicious.

✓ Credentials

The skill requests no environment variables or secrets. It does write models to a shared Homebrew path and outputs files to Desktop and /tmp, which are consistent with a local transcription/download tool and proportional to its purpose.

✓ Persistence & Privilege

The skill does not request always: true, persistent privileges, or modifications to other skills. It runs on demand and stores models and output files in reasonable locations. No unexpected privilege escalation is present.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install video-analyzer-skill
After installation, invoke the skill by name or use /video-analyzer-skill
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.1

- Expanded the description in SKILL.md to clarify when and how to use the skill, especially for requests involving YouTube, X/Twitter, or TikTok video URLs. - Added practical usage examples to the description, detailing scenarios such as summarizing videos, extracting key points, and analyzing video content. - No changes to any code or functionality; documentation improvements only.

v1.0.0

Initial public release: download, transcribe, and analyze videos from YouTube, X/Twitter, TikTok with local Whisper

Metadata

Slug video-analyzer-skill

Version 1.0.1

License —

All-time Installs 2

Active Installs 2

Total Versions 2

Frequently Asked Questions

What is Video Analyzer?

Download, transcribe, and analyze videos from YouTube, X/Twitter, and TikTok with local Whisper processing. Perfect for extracting TL;DRs, timestamps, and ac... It is an AI Agent Skill for Claude Code / OpenClaw, with 757 downloads so far.

How do I install Video Analyzer?

Run "/install video-analyzer-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Video Analyzer free?

Yes, Video Analyzer is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Video Analyzer support?

Video Analyzer is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Video Analyzer?

It is built and maintained by minilozio (@minilozio); the current version is v1.0.1.

More Skills