ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AI视频短视频创作器

v1.0.0

Two-phase AI-narrated video short creator with human review checkpoints. Phase 1 analyzes source materials, generates TTS narration via edge-tts, and exports...

0· 46·0 current·0 all-time
by@jessy-huang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, SKILL.md, README, config-example.py and the two scripts consistently implement a local two‑phase AI TTS + FFmpeg video assembly workflow; requested tools (edge-tts, FFmpeg, Python) match the stated purpose.
!
Instruction Scope
SKILL.md limits scope to local files and human review checkpoints, but the code contains unsafe or inconsistent instructions: step1_generate_review.py references edge_tts.Communicate without importing edge_tts (runtime bug), and step2_edit_video.py builds a long ffmpeg command string and executes it with os.system() (shell execution of user-supplied paths), which can be a command-injection vector if clip paths are untrusted.
Install Mechanism
No install spec; scripts are instruction-only and rely on standard packages (edge-tts via pip) and FFmpeg from official sources. Nothing is downloaded from arbitrary URLs or written to unexpected system locations.
Credentials
The skill declares no environment variables or credentials. The code only reads a user-provided config.py (normal for a local tool) and local media file paths; no hidden credential access or external tokens are requested.
Persistence & Privilege
Skill is not always-enabled and does not request elevated or persistent platform privileges. It writes outputs to user-specified OUTPUT_DIR and VIDEO_DIR only, which is expected behavior for a media tool.
What to consider before installing
This skill appears to do what it says (local TTS + FFmpeg video assembly), but review the code before running: 1) step1_generate_review.py has a missing import for edge_tts and will crash unless corrected — the second script contains a safer async TTS generator that imports edge_tts locally. 2) step2_edit_video.py constructs an ffmpeg command string and runs it via os.system; if any clip paths are attacker-controlled or contain shell metacharacters this could lead to command injection — prefer using subprocess with a list of args or sanitize/validate paths. 3) The tool imports a user-supplied config.py (this executes code) so only use configs from trusted sources. 4) edge-tts will contact Microsoft TTS endpoints (no API key), so expect network traffic for TTS. If you plan to run this, (a) run it in a controlled environment, (b) inspect/validate clip filenames in your config, (c) patch step1 to import edge_tts or use the step2 helper that imports it, and (d) replace the os.system ffmpeg invocation with subprocess.run(list_args) or use the provided concat fallback to avoid shell execution. If you want, I can produce a small patch for the missing import and convert the xfade command to subprocess-safe invocation.

Like a lobster shell, security has layers — review code before you run it.

latestvk979f3b5w102h0q3yzd1ywmg0584kahg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments