Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Jianying Video Gen
v1.0.0使用剪映(Jianying/小云雀)的 Seedance 2.0 模型自动生成AI视频。支持文生视频(T2V)、图生视频(I2V)和参考视频生成(V2V)三种模式。当用户需要生成AI视频、使用Seedance模型创作短片、或基于参考图像/视频进行风格转换时使用此技能。需要预先配置 cookies.json 登录凭证。
⭐ 0· 324·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the code: the scripts automate xyq.jianying.com using Playwright and require a cookies.json credential file. However, the package already contains a cookies.json with what look like real session cookies (credentials included in the repo), and multiple files hard-code a Windows path (D:\SQLMessage\AI_Videos) as a default output — those choices are not necessary for the stated purpose and are unexpected.
Instruction Scope
SKILL.md instructs the agent to automate the Jianying site, inject cookies, upload reference files, and download generated MP4s. The code follows those instructions (navigates the site, injects cookies, uploads local images/videos, fills forms, polls a task page, and downloads the MP4). It does not appear to read unrelated system files or access external endpoints beyond xyq.jianying.com. Note: by design it will upload any reference files you point it at to the remote service.
Install Mechanism
No install spec is provided (instruction+scripts only). requirements.txt lists Playwright and requests, which is consistent with the code. There is no suspicious remote download/install mechanism in the package itself.
Credentials
The skill does not request environment variables, but the repository ships a cookies.json containing session cookie values for xyq.jianying.com. Bundling credentials with the skill is disproportionate and risky: these cookies grant access to an account on the target service. Also, hard-coded default output paths (D:\SQLMessage\AI_Videos) are unusual and may cause unexpected file creation on installation/runs.
Persistence & Privilege
The skill is not marked always:true and does not request elevated platform privileges. It runs subprocesses to invoke local scripts and creates output directories, which is expected. There is no indication it modifies other skills or system-wide agent settings.
What to consider before installing
This skill automates the Jianying web UI and requires valid cookies.json credentials to work. Before installing: 1) Do NOT trust the included cookies.json — it contains session cookies packaged with the skill; treat that as a credential leak. Replace it with your own exported cookies if you intend to use the skill, or remove the file and provide your own. 2) Expect the skill to upload any reference image/video you point it at to the Jianying service (that is its purpose). 3) Note the odd hard-coded Windows output path (D:\SQLMessage\AI_Videos) in multiple scripts — change output paths to a safe, intended location before running. 4) Run in an isolated environment (sandbox/VM) the first time to observe behavior, and do not reuse sensitive account credentials included in the package. If you need higher assurance, ask the author for a public homepage or source repo and a version that does not include baked-in credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk971deyzk70kdnxrsgxc2pvajs836q0a
License
MIT-0
Free to use, modify, and redistribute. No attribution required.