← 返回 Skills 市场
Video Insight
作者
huuuwnnn-droid
· GitHub ↗
· v1.0.0
· MIT-0
68
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install video-insight
功能描述
Cross-platform video transcript extraction and optional AI summarization for YouTube and Bilibili. GPU auto-detect. Transcript-first with opt-in LLM summary.
安全使用建议
What to consider before installing:
- Privacy: transcripts are cached permanently under ~/.cache/video-insight. If transcripts may contain sensitive content, clear or relocate the cache and inspect Cache.put/get behavior.
- External LLMs: the summarization feature is opt-in, but if you set LLM_API_URL + LLM_API_KEY (or OPENCLAW_GATEWAY_TOKEN), the tool will POST the entire transcript to that endpoint (no truncation). Only set those env vars for endpoints you trust and that have an appropriate privacy policy.
- Browser cookies: on download failure the tool retries with yt-dlp --cookies-from-browser chrome. That causes yt-dlp to access your browser cookie store (potentially exposing authenticated content). If you don't want local browser cookies accessed, avoid allowing that fallback or run in an isolated environment.
- Installation: setup.sh installs Python packages from PyPI and may modify your Python environment or create a venv. Review the script before running; consider installing in an isolated virtual environment or container.
- If you need higher assurance: request the publisher/source, verify package signatures or hashes, or run the tool in an isolated VM/container. If you want the skill but not remote summaries, do not set LLM_API_* or OPENCLAW_GATEWAY_TOKEN and avoid --summarize; manually review cached files and remove them if undesired.
Additional info that would change this assessment: an authoritative source/homepage or explicit metadata declaring the env vars the skill expects (and the privacy implications), or removal/documentation of the yt-dlp cookie fallback. With those clarifications this would likely be classified as benign (coherent) rather than suspicious.
功能分析
Type: OpenClaw Skill
Name: video-insight
Version: 1.0.0
The skill is classified as suspicious due to high-risk capabilities and potential vulnerabilities. Specifically, 'scripts/bilibili.py' attempts to access Chrome browser cookies via 'yt-dlp' to bypass anti-bot measures; while this is a standard feature for video extraction, it is not disclosed in the documentation. Additionally, 'scripts/utils.py' contains a potential Server-Side Request Forgery (SSRF) vulnerability in 'extract_bilibili_id' by following redirects on user-provided URLs without sanitization. These behaviors, while plausibly intended for the stated purpose, represent a significant attack surface and lack of transparency regarding sensitive data access.
能力标签
能力评估
Purpose & Capability
Code and setup align with the stated purpose: yt-dlp, ffmpeg, faster-whisper are used for download, audio extraction, and transcription, and the CLI wraps YouTube/Bilibili handling. However, the code also invokes yt-dlp's --cookies-from-browser fallback (reads browser cookies via yt-dlp) and supports sending full transcripts to arbitrary LLM endpoints — behaviours that are not called out in the top-level metadata and may be surprising to users.
Instruction Scope
SKILL.md says default is transcript-only, but the runtime instructions & code: (1) permanently cache full transcripts to ~/.cache/video-insight, (2) may extract keyframes, (3) on download failure try yt-dlp --cookies-from-browser (reads local browser cookies), and (4) when --summarize is used will post the entire transcript (no truncation) to an external LLM API if LLM envs are set. These are scope-expanding actions (reading browser cookies, persistent local storage, network exfiltration of large transcripts) that are not declared as required in the metadata.
Install Mechanism
No install spec in registry (instruction-only), but a provided setup.sh installs Python deps (yt-dlp, youtube-transcript-api, innertube, requests, faster-whisper) into a venv or system Python. This is a normal approach for such a tool; install uses PyPI (standard). No remote arbitrary binary downloads or obscure URLs in the installer.
Credentials
Registry declares no required env vars, but the code reads many env vars: WHISPER_DEVICE, WHISPER_MODEL, FRAME_TIME_OFFSET, FRAME_INTERVAL, MAX_FRAMES, LLM_API_URL, LLM_API_KEY, LLM_MODEL, OPENCLAW_GATEWAY_TOKEN, etc. In particular, if LLM_API_URL + LLM_API_KEY (or OPENCLAW_GATEWAY_TOKEN) are set, the skill will send full transcripts to that external endpoint — a high-sensitivity action that should be declared and explicitly consented to. Cache storage of transcripts is permanent by default (also not called out as a required configuration item).
Persistence & Privilege
always:false and the skill does not modify other skills. However it writes permanent cached transcript files to ~/.cache/video-insight and creates a venv and cache dir during setup.sh. Temp files are managed and cleaned, but caches are intentionally permanent unless manually removed.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install video-insight - 安装完成后,直接呼叫该 Skill 的名称或使用
/video-insight触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
v1.0.0
元数据
常见问题
Video Insight 是什么?
Cross-platform video transcript extraction and optional AI summarization for YouTube and Bilibili. GPU auto-detect. Transcript-first with opt-in LLM summary. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 68 次。
如何安装 Video Insight?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install video-insight」即可一键安装,无需额外配置。
Video Insight 是免费的吗?
是的,Video Insight 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Video Insight 支持哪些平台?
Video Insight 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Video Insight?
由 huuuwnnn-droid(@huuuwnnn-droid)开发并维护,当前版本 v1.0.0。
推荐 Skills