ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

秦丝旺剪 - AI智能视频剪辑

v1.0.1

秦丝智能视频剪辑APP的API集成,用于创建和管理AI视频剪辑任务。 TRIGGER when: 用户请求创建视频、生成视频剪辑、查看视频任务列表、下载剪辑结果、等待任务完成、配置旺剪账号。 触发词: "创建视频"、"视频剪辑"、"生成视频"、"查看任务"、"下载视频"、"等待视频"、"配置旺剪"、"旺剪账号"、...

0· 221·0 current·0 all-time
by@huangjt
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description describe an API client for QinSilk/Wangcut video editing; included Python client (wangcut_api.py), example config, and usage instructions align with that purpose. The default API base_url (cloud.qinsilk.com) matches the description.
Instruction Scope
Runtime instructions tell the agent to import the provided Python module and to create/update a local config.ini with account credentials. The skill reads/writes config.ini in the working directory or skill/project locations (including a project-root lookup), and downloads videos to a local downloads/ directory — all expected for this kind of client but it does mean user credentials and downloaded video files are stored locally.
Install Mechanism
No install spec; this is an instruction+script skill. docs recommend installing the single dependency 'requests' which is reasonable and expected.
Credentials
The skill requests no environment variables or external credentials beyond the QinSilk account provided by the user. It stores the username/password in a local config.ini (written plaintext in setup_config). That storage and the prompt for credentials are proportionate to the stated functionality but are sensitive — the skill does not declare any other credential access.
Persistence & Privilege
always:false and default autonomous invocation are set (normal). The skill writes/updates its own config.ini and creates a downloads/ directory — expected for a client but this is local persistence of credentials and files that the user should manage (e.g., .gitignore).
Assessment
This skill appears to do what it claims (control QinSilk/Wangcut video tasks). Before installing: (1) be aware it asks you to provide your QinSilk account (username/password) and will write them to a local config.ini in your workspace — do not commit that file to source control; add it to .gitignore. (2) The script stores the password in the config file (and MD5-hashes it only when sending to the server), so treat the config file as sensitive. (3) Verify the base_url (defaults to https://cloud.qinsilk.com/aicut/api/v1) is correct for your account and network; if you have concerns, inspect the full wangcut_api.py for any hidden endpoints before use. (4) Install the 'requests' dependency in an isolated environment (venv) and avoid using high-value or shared credentials unless you trust the service. If you want greater safety, use an account with limited permissions or provision temporary credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f17vkarnjy8yg90rr2wp78582rz9m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments