微信频道语音+视频实现气泡自动播报模式
AdvisoryAudited by Static analysis on May 5, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malformed or poorly chosen output path could overwrite files outside the skill's output folder.
The output filename is joined without validation, so absolute paths or '../' traversal can escape the intended directory; FFmpeg's '-y' option will overwrite an existing file.
parser.add_argument("--output", default="result.mp4", help="输出文件名") ... final_video = os.path.join(OUTPUT_DIR, args.output) ... "-shortest", "-y", output_videoRestrict output to a basename or normalize and verify that the final path remains inside the intended output directory; avoid automatic overwrite unless the user confirms.
The skill may fail or run an unexpected local binary if the hardcoded paths are not appropriate for the user's machine.
The script relies on hardcoded local executables, while the registry metadata declares no required binaries or install setup.
FFMPEG = r"C:\ffmpeg\bin\ffmpeg.exe" ... TTS_PY = r"C:\Users\lenovo\.copaw\venv\Scripts\python.exe"
Declare FFmpeg and edge_tts requirements, avoid developer-specific paths, and let users configure trusted executable locations.
Text or prompt content may be shared with external generation providers.
User-provided text is passed to edge_tts and the background prompt is sent to pollinations.ai for image generation.
cmd = [TTS_PY, "-m", "edge_tts", "--voice", "zh-CN-YunxiNeural", "--text", text, "--write-media", output_mp3] ... url = f"https://image.pollinations.ai/prompt/{encoded_prompt}?width=720&height=1280&nologo=true"Do not include secrets or sensitive personal data in the text or image prompt unless the external providers' privacy terms are acceptable.