微信频道语音+视频实现气泡自动播报模式
PassAudited by VirusTotal on May 5, 2026.
Overview
Type: OpenClaw Skill Name: voice-document-maker Version: 1.0.0 The skill contains hardcoded absolute file paths to a specific user's directory (C:\Users\lenovo) for the Python interpreter and FFmpeg executable in scripts/make_video.py, which is highly irregular and suggests an environment-specific or poorly constructed bundle. It also performs external network requests to pollinations.ai to download images and uses subprocess.run to execute commands, which, combined with the lack of input validation on the output filename (potential path traversal), poses a security risk despite being aligned with the stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malformed or poorly chosen output path could overwrite files outside the skill's output folder.
The output filename is joined without validation, so absolute paths or '../' traversal can escape the intended directory; FFmpeg's '-y' option will overwrite an existing file.
parser.add_argument("--output", default="result.mp4", help="输出文件名") ... final_video = os.path.join(OUTPUT_DIR, args.output) ... "-shortest", "-y", output_videoRestrict output to a basename or normalize and verify that the final path remains inside the intended output directory; avoid automatic overwrite unless the user confirms.
The skill may fail or run an unexpected local binary if the hardcoded paths are not appropriate for the user's machine.
The script relies on hardcoded local executables, while the registry metadata declares no required binaries or install setup.
FFMPEG = r"C:\ffmpeg\bin\ffmpeg.exe" ... TTS_PY = r"C:\Users\lenovo\.copaw\venv\Scripts\python.exe"
Declare FFmpeg and edge_tts requirements, avoid developer-specific paths, and let users configure trusted executable locations.
Text or prompt content may be shared with external generation providers.
User-provided text is passed to edge_tts and the background prompt is sent to pollinations.ai for image generation.
cmd = [TTS_PY, "-m", "edge_tts", "--voice", "zh-CN-YunxiNeural", "--text", text, "--write-media", output_mp3] ... url = f"https://image.pollinations.ai/prompt/{encoded_prompt}?width=720&height=1280&nologo=true"Do not include secrets or sensitive personal data in the text or image prompt unless the external providers' privacy terms are acceptable.