Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
抖音生成短视频
v1.0.0根据主题自动搜索整理信息,生成多风格视频脚本,并调用数字人平台创建完整短视频。
⭐ 0· 68·0 current·0 all-time
by陈杨@chenyang399
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the code: pipeline builds a script and can call HeyGen/D-ID/Synthesia to create videos. The files implement searching (stubbed), organizing, script generation, and avatar API calls — consistent with stated purpose. Minor mismatch: SKILL metadata lists no required env vars, while SKILL.md documents multiple provider keys (HEYGEN_API_KEY, DID_API_KEY, SYNTHESIA_API_KEY) — the code actually reads only AVATAR_API_KEY.
Instruction Scope
Runtime instructions and code operate within the expected scope: generate/format content, write files under an output directory, and call third‑party avatar APIs. The pipeline writes local JSON/MD/report files and does not attempt to read unrelated system paths. The search step is intentionally local/stubbed (the SKILL.md mentions fallbacks), which is implemented in code.
Install Mechanism
No install spec; this is an instruction + code bundle that runs with Node. Nothing is downloaded or extracted during install, so installation risk is low. The package uses only core Node modules (fs, https, path); no external package installs are declared.
Credentials
SKILL.md asks for multiple provider-specific API keys (AVATAR_API_KEY, HEYGEN_API_KEY, DID_API_KEY, SYNTHESIA_API_KEY), but the code only reads process.env.AVATAR_API_KEY (and the AvatarVideoGenerator expects a single apiKey value). The registry metadata claims no required env vars. This mismatch is unexplained and could lead to user confusion or accidental disclosure of multiple keys if the user follows SKILL.md rather than code. Requiring a single API key (or clearly documenting provider-specific usage) would be proportionate; the current documentation/metadata/code inconsistency is a red flag to verify before supplying secrets.
Persistence & Privilege
Skill is not always-enabled and does not request elevated/persistent agent privileges. It does not modify other skills or system configuration. It runs as a normal Node script when invoked.
What to consider before installing
This skill largely does what it says (generate scripts and call avatar/video provider APIs), but there are inconsistencies you should resolve before installing or providing API keys:
- Confirm which environment variable the code actually uses: avatar-generator.js reads AVATAR_API_KEY. The SKILL.md lists HEYGEN_API_KEY, DID_API_KEY, and SYNTHESIA_API_KEY as well — that documentation may be outdated or misleading. Only give the minimum key required (preferably a provider-specific, scoped API key) and avoid pasting multiple unrelated credentials.
- Because the source/homepage are unknown, review the avatar-generator.js implementation (it sends Bearer Authorization to provider endpoints) and verify the endpoints are correct for your provider. Prefer creating limited-scope API keys on the provider side.
- The skill writes files under an output directory. Run it in a sandboxed directory or container if you want to limit filesystem impact.
- If you rely on the skill to perform live web searches, note the current implementation uses a local stub for search (no live scraping). If you or someone adds network scraping/third-party search integrations later, re-audit those changes.
- If you need higher assurance, ask the author for provenance (repository, homepage) or a signed release, or run the code in an isolated environment and inspect network traffic when generating a test job.Like a lobster shell, security has layers — review code before you run it.
latestvk978bs4wnw61wnh8x8j9t8d5yn83jcx2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.