Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Video Monetization Pro
v1.0.0视频变现全流程自动化技能。从热点分析→MV 主题→歌词创作→法律审查→Suno 提示词→分镜脚本→一键发布→收益监控。专为视频创作者设计的端到端变现解决方案。
⭐ 0· 38·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description (video monetization) align with the scripts and binaries (ffmpeg, whisper). However: (1) SKILL metadata declares only SUNO_PHONE, KLING_ACCESS_KEY, KLING_SECRET_KEY but SKILL.md and scripts also reference other credentials (GOOGLE_SEARCH_API_KEY, Suno verify URL, YouTube OAuth, platform login states). (2) Several scripts and docs hardcode absolute paths under /Users/huang and a fixed performer identity (捌十肆), which is not appropriate for a generic skill and could cause unexpected file reads/writes. These mismatches are disproportionate to the stated purpose.
Instruction Scope
Runtime instructions and scripts go beyond simple content generation: they reference web_search calls (consuming Google API keys), Suno API flows (including an SMS verification URL), publish flows to multiple platforms (YouTube OAuth, bilibili-upload, MediaCrawler, browser automation), and automated push reports (Feishu). SKILL.md and scripts reference/expect environment variables and login tokens that are not consistently declared. Scripts also modify files in-place (legal-check.sh uses sed -i.bak). The instructions implicitly require the agent to access local files, credentials, and external endpoints not fully enumerated in metadata.
Install Mechanism
Install spec uses brew to install ffmpeg and openai-whisper — a common, low-risk approach for these binaries. No downloads from personal servers or extract-from-URL installs were found in the manifest.
Credentials
Declared required env vars in metadata (SUNO_PHONE, KLING_ACCESS_KEY, KLING_SECRET_KEY) are plausible for Suno and a 'Kling' publishing service, but SKILL.md asks the user to set additional secrets (GOOGLE_SEARCH_API_KEY, SUNO_VERIFY_URL, YouTube OAuth credentials, platform logins) without listing them in the skill's required envs. Several files contain example phone numbers, emails, and an API token/URL (sms8.net token) baked into documentation — exposing credentials in the repo and suggesting the skill expects use of third-party tokens. This is disproportionate and confusing; it's unclear which secrets are truly required and where they will be used/transmitted.
Persistence & Privilege
The skill does not request always:true and does not declare system-wide privilege escalation, which is good. However, scripts use and write to absolute home paths (e.g., /Users/huang/..., ~/.openclaw/workspace/...), and will update user files in-place (sed -i.bak in legal-check.sh). That hardcoded path usage is risky (could overwrite unexpectedly if a matching path exists) and indicates the package was prepared in a developer environment without sanitization. The skill also describes automated daily reports (push to Feishu), implying scheduled network activity that requires credentials not centrally documented.
What to consider before installing
Key things to consider before installing:
1) Missing / inconsistent credential list: SKILL.md and scripts reference Google API keys, a Suno verification URL, YouTube OAuth, and other platform logins but the registry metadata only lists SUNO_PHONE and KLING_* keys. Ask the author to provide a single, accurate list of required secrets and explain where each is used.
2) Embedded example credentials/tokens: The repository contains an API token/verification URL (sms8.net) and concrete phone numbers/emails in docs and demo files. Treat these as leaked test data — do not reuse them. Ask the author to remove all embedded tokens and replace with placeholders before installing.
3) Hardcoded absolute paths and fixed persona: Scripts default to /Users/huang/... and insist on a fixed performer asset path and Bilibili UID. That is inappropriate for general use and could cause accidental reads/writes on your machine. Request the author make paths configurable (relative to the skill workspace or use $HOME) and remove forced identity constraints.
4) Publishing and automation risks: The skill outlines automated publishing to multiple platforms and auto-sent daily reports. Do not provide platform credentials or OAuth tokens until you review the publish scripts line-by-line and test them in a sandbox. Confirm how credentials are stored and whether tokens are ever transmitted to third parties.
5) Local file modification: legal-check.sh edits input files in-place via sed. Back up files before running. Prefer that the script write reports to separate outputs rather than modifying originals.
6) Test in a sandbox: Run the scripts in an isolated VM/container with no real credentials and with OUTPUT_DIR pointed to a safe directory. Inspect network calls (e.g., with tcpdump) to see what endpoints are contacted when you run each script.
7) Request changes or refuse install if unresolved: Ask the maintainer to
- remove embedded tokens and personal emails/phone numbers,
- document exactly which credentials are required (and add them to metadata),
- replace hardcoded paths with configurable variables defaulting to the skill workspace or $HOME,
- provide a minimal-mode that runs only analysis/lyrics generation without publishing or external credentials.
If the author cannot justify these issues or fix them, treat the package as untrusted and do not install with real credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk9736zpakjdj5epfgn6snbqz8x844dy9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
💰 Clawdis
Binsffmpeg, whisper
EnvSUNO_PHONE, KLING_ACCESS_KEY, KLING_SECRET_KEY
Install
安装视频处理工具
Bins: ffmpeg, whisper
brew install ffmpeg openai-whisper