Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
CreateVideo Podcast to Video
v1.0.0视频生成工具。当用户说"CreateVideo"、"创建视频"、"生成视频"或提供文案要求制作视频时触发。支持文本转语音(通过 ListenHub MCP)、模版视频裁剪合并、内容分析输出。依赖 ffmpeg 和 ListenHub MCP Server。
⭐ 0· 57·0 current·0 all-time
byConan@jackyken
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The description says the skill depends on ffmpeg/ffprobe and ListenHub MCP, and the runtime instructions use ffmpeg/ffprobe and call ListenHub TTS. However the registry metadata and requirements list no required binaries, env vars, or install steps. This mismatch (declared-as-none vs instructions-that-require-system tools and an MCP server) is incoherent and should be justified.
Instruction Scope
The SKILL.md instructs the agent to create directories under {skills_dir}/../video-projects, save user audio, run ffprobe/ffmpeg commands, and to install/run a ListenHub MCP server via npx and add it to OpenClaw config. These are within a video-generation scope, but the instructions also tell the agent to download and run external code (npx @marswave/listenhub-mcp-server) and modify OpenClaw configuration — actions with side effects that are not declared in registry metadata.
Install Mechanism
There is no formal install spec, but the docs explicitly advise running 'npx -y @marswave/listenhub-mcp-server', which will fetch and run code from the npm registry. That is a moderate-risk download/install step that is not captured in the skill's install metadata. ffmpeg/ffprobe are also required by the instructions but not declared as required binaries.
Credentials
The skill declares no required environment variables or credentials. However it requires configuring a ListenHub MCP Server connection in OpenClaw (likely involving endpoints/credentials) and references selecting speaker IDs — the required configuration/credentials are not documented in the skill metadata. No explicit secret exfiltration is requested, but missing credential requirements are a gap.
Persistence & Privilege
The skill is not always-enabled, is user-invocable, and does not request system-wide privileges. It writes files under a project directory relative to the skill (video-projects) and suggests adding a service to the agent config, which are expected behaviors for this functionality. Autonomous invocation is allowed by default but not by itself a red flag here.
What to consider before installing
This skill appears to implement a reasonable podcast→video flow, but several things don't add up: (1) the registry lists no required binaries or installs, yet the instructions require ffmpeg/ffprobe and ask you to install a ListenHub MCP server via npx (which will download/run code). (2) It asks you to add the MCP server to OpenClaw config (likely requiring host/credentials) but does not declare what credentials are needed. Before installing or running: verify and trust the npm package @marswave/listenhub-mcp-server (review its npm page/source), ensure ffmpeg/ffprobe are installed from trusted sources, run the MCP server and any new installs in a sandbox if possible, and confirm what configuration/credentials will be stored in your OpenClaw instance. If you need higher assurance, ask the publisher for an explicit install manifest and a list of required credentials and where they are stored.Like a lobster shell, security has layers — review code before you run it.
latestvk978r0e250qykjxws7g11m0f0184mc1m
License
MIT-0
Free to use, modify, and redistribute. No attribution required.