Wjs Dubbing Video
ReviewAudited by ClawScan on May 13, 2026.
Overview
The dubbing tool mostly matches its purpose, but it tells the agent to load an entire local .env secrets file just to obtain TTS credentials.
Review this skill before installing. Its video dubbing behavior appears coherent, but avoid loading your whole `~/code/.env`; provide only the required Volcano TTS variables if you use that engine. Also expect subtitle text to be sent to external TTS services and note that optional visual diarization downloads a MediaPipe model at runtime.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or using the skill could expose unrelated local secrets to the agent environment, increasing the blast radius if later commands or tools mishandle environment variables.
This directs the agent/session to source an entire local .env file, which may contain unrelated API keys or secrets, even though the script only needs specific Volcano TTS credentials.
Loading credentials: most users keep them in `~/code/.env`. Read them at the top of any session via: ```bash set -a; source ~/code/.env; set +a ```
Do not source a broad .env file. Set only `VOLC_TTS_APPID` and `VOLC_TTS_ACCESS_TOKEN` for this task, preferably in a narrow per-command environment.
Subtitle content may be shared with the selected TTS provider as part of normal dubbing.
The script sends subtitle text and the Volcano access key to the disclosed Bytedance TTS endpoint to synthesize audio.
url = "https://openspeech.bytedance.com/api/v3/tts/unidirectional" ... "X-Api-Access-Key": os.environ["VOLC_TTS_ACCESS_TOKEN"], ... "text": text,
Use the skill only with subtitle text you are comfortable sending to the chosen TTS provider, and review provider privacy/cost terms.
When multi-speaker diarization is used, the skill relies on a remotely fetched model file, which can affect reproducibility and trust in the diarization result.
The optional diarization helper downloads a model at runtime to `/tmp/mp_models` without a pinned hash or integrity check.
MODEL_URL = ("https://storage.googleapis.com/mediapipe-models/"
"face_landmarker/face_landmarker/float16/1/face_landmarker.task")
...
urllib.request.urlretrieve(MODEL_URL, MODEL_PATH)Pin and verify the model hash, or document this runtime download clearly so users can preinstall or review the model source.