Wjs Dubbing Video
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or using the skill could expose unrelated local secrets to the agent environment, increasing the blast radius if later commands or tools mishandle environment variables.
This directs the agent/session to source an entire local .env file, which may contain unrelated API keys or secrets, even though the script only needs specific Volcano TTS credentials.
Loading credentials: most users keep them in `~/code/.env`. Read them at the top of any session via: ```bash set -a; source ~/code/.env; set +a ```
Do not source a broad .env file. Set only `VOLC_TTS_APPID` and `VOLC_TTS_ACCESS_TOKEN` for this task, preferably in a narrow per-command environment.
Subtitle content may be shared with the selected TTS provider as part of normal dubbing.
The script sends subtitle text and the Volcano access key to the disclosed Bytedance TTS endpoint to synthesize audio.
url = "https://openspeech.bytedance.com/api/v3/tts/unidirectional" ... "X-Api-Access-Key": os.environ["VOLC_TTS_ACCESS_TOKEN"], ... "text": text,
Use the skill only with subtitle text you are comfortable sending to the chosen TTS provider, and review provider privacy/cost terms.
When multi-speaker diarization is used, the skill relies on a remotely fetched model file, which can affect reproducibility and trust in the diarization result.
The optional diarization helper downloads a model at runtime to `/tmp/mp_models` without a pinned hash or integrity check.
MODEL_URL = ("https://storage.googleapis.com/mediapipe-models/"
"face_landmarker/face_landmarker/float16/1/face_landmarker.task")
...
urllib.request.urlretrieve(MODEL_URL, MODEL_PATH)Pin and verify the model hash, or document this runtime download clearly so users can preinstall or review the model source.