九马免费对口型数字人
ReviewAudited by ClawScan on May 18, 2026.
Overview
The skill mostly matches its video-generation purpose, but its login flow can expose and persist a Jiuma API key in ways users should review before installing.
Only use this skill if you are comfortable sending your text/audio and avatar choices to Jiuma’s API and storing a Jiuma API key locally. If you log in, watch for secret keys in the output, avoid shared machines, and delete or protect the .jiuma credential file when finished.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone with access to the agent transcript, terminal output, or logs may be able to see and reuse the Jiuma account API key.
This helper prints the full successful API response before returning the data. login.py uses the same helper to check login status and then saves data["secret_key"], so the Jiuma API key can be exposed in terminal or agent logs during login.
print(json_result)
return json_result.get("data")Do not proceed with login unless you trust the environment. The publisher should remove raw response printing and redact secret_key/access_token values from all output.
The skill may keep a reusable Jiuma API key on disk after the video-generation task is finished.
The skill discloses that it stores the Jiuma API key locally in plaintext. This is purpose-aligned for reusing the service, but it is sensitive persistent credential storage.
**存储格式**: 纯文本格式保存API密钥
Review and protect the local .jiuma credential file, remove it when no longer needed, and avoid using this on shared or untrusted machines.
Users may overestimate how protected the saved API key is on multi-user or synced systems.
The documentation states that only the current user can read the saved API key, but the provided code writes the file normally and does not show explicit permission hardening such as chmod.
**权限**: 只有当前用户可以读取
Verify file permissions after login and prefer an implementation that explicitly creates the credential file with user-only permissions.