Is video-subtitles safe?

https://clawhub.ai/ngutman/video-subtitles

72
CAUTION

The video-subtitles skill is functionally legitimate — a Python script for transcribing and subtitling video using Whisper models. It contains no prompt injection or malicious intent. However, it carries meaningful supply-chain risk through its auto-install mechanism (uv run --script silently fetches PyPI dependencies) and silent ML model downloads from Hugging Face Hub. Additionally, a hardcoded predictable temp file path creates a minor data leak and TOCTOU vulnerability. The code execution risk from the dependency auto-install pattern is the primary concern.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 35/100 · 20%
Clone Behavior 65/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (8)

HIGH Auto-install of PyPI dependencies via uv run --script -40

The script uses #!/usr/bin/env -S uv run --script --quiet with inline PEP 723 dependency metadata declaring faster-whisper>=1.0.0. When executed, uv automatically downloads and installs this package from PyPI without explicit user consent. A supply-chain compromise of the faster-whisper package would result in arbitrary code execution.

HIGH Silent ML model download from Hugging Face Hub -15

The faster-whisper library automatically downloads ~3GB ML models from Hugging Face Hub on first use (ivrit-ai/whisper-large-v3-turbo-ct2, large-v3-turbo, large-v3). These downloads happen silently during transcription. A compromised model repository could serve malicious model files.

MEDIUM Subprocess invocation of ffmpeg with constructed filter string -10

The embed_subtitles function constructs an ffmpeg filter string using string formatting and passes it to subprocess.run. While arguments are passed as a list (mitigating shell injection), the filter string itself is built via string interpolation of the SRT path. The hardcoded /tmp/subtitles_temp.srt path limits exploitability, but this pattern is fragile.

MEDIUM Predictable world-readable temp file for subtitle content -15

Subtitle content is written to /tmp/subtitles_temp.srt — a hardcoded, predictable, world-readable path. On multi-user systems, any process can read the transcription output. This is also vulnerable to symlink/TOCTOU attacks where an attacker pre-creates a symlink at that path pointing to a sensitive file, causing the skill to overwrite it.

LOW Runtime dependency on external package registries -10

The skill's execution depends on fetching packages from PyPI (via uv) and models from Hugging Face Hub (via faster-whisper). While not exfiltration, these outbound connections could leak information about the user's environment (IP, user agent, system info) to third-party services.

LOW Sensitive file access during install phase -35

During installation, filesystem monitoring detected access to /home/oc-exec/.env, /home/oc-exec/.aws/credentials, and multiple OpenClaw config files. These accesses appear attributable to the OpenClaw agent runtime rather than the skill itself, but the pattern warrants noting.

INFO Clean SKILL.md with no injection attempts -5

The SKILL.md is a straightforward usage guide with no hidden instructions, Unicode tricks, HTML comments, persona manipulation, or attempts to override system prompts. The description accurately matches the skill's functionality.

INFO PATH hijack risk for ffmpeg binary -45

The script falls back from /opt/homebrew/opt/ffmpeg-full/bin/ffmpeg to bare 'ffmpeg' on PATH. If another skill or process places a malicious binary named 'ffmpeg' earlier in PATH, it would be executed with the user's privileges.