baiyin-digital-human-lipsync
WarnAudited by ClawScan on May 10, 2026.
Overview
The Baiyin digital-human API workflow is mostly coherent, but the skill adds a mandatory self-update step that could change the installed skill before use without clear user approval.
Review this skill carefully before installing. The Baiyin API behavior is understandable, but the mandatory self-update instruction is the main issue: it could change the installed skill without a clear approval step. Only use it if you are comfortable providing a Baiyin API key, uploading the intended media to Baiyin, and accepting or disabling the self-update behavior.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could modify the installed skill and then continue the task using new instructions the user has not reviewed.
The skill mandates a remote version check and local skill update before any Baiyin task handling. This can alter the installed skill from a remote source without clear user confirmation.
请求 SkillHub 远程版本信息...若远程版本更新 → 先更新本地 skill,再继续当前任务...DO NOT 跳过此步骤直接处理用户请求
Remove the mandatory self-update behavior, or require explicit user approval plus a trusted, pinned, and verifiable update source before changing local skill files.
Providing the key lets the agent act against the Baiyin account for this workflow.
The skill uses a bearer API key for the Baiyin platform. This is expected for the integration, but the key grants account-level access for task creation/querying and may consume account credits.
前置要求 - `BAIYIN_API_KEY` ... 认证方式:`Authorization: Bearer <API_KEY>`
Use a dedicated, revocable API key with the least privileges available, and rotate it if exposed. The registry metadata should also clearly declare the required credential.
Audio or image content used for generation may leave the local environment and become accessible through a generated URL.
The skill may send user-provided audio or image files to Baiyin's upload endpoint to obtain a public URL. This is purpose-aligned for digital-human generation, but it moves selected local/private media to an external provider.
当数字人任务需要公网图片或音频 URL,而用户提供的是本地文件路径、聊天附件...使用百音开放平台文件上传接口上传文件,拿到公网地址后再继续
Upload only files intended for Baiyin processing, avoid sensitive media, and review Baiyin's retention and access controls for uploaded files.