ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

九马免费对口型数字人

v1.0.5

这是一个免费生成对口型数字人对口型的工具, 工具安装需要下载二进制文件到电脑上,只需根据文本和性别生成数字人视频并返回一个下载链接

0· 227·0 current·0 all-time
by@kalos-chen

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for kalos-chen/9ma-mata-human.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "九马免费对口型数字人" (kalos-chen/9ma-mata-human) from ClawHub.
Skill page: https://clawhub.ai/kalos-chen/9ma-mata-human
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install 9ma-mata-human

ClawHub CLI

Package manager switcher

npx clawhub@latest install 9ma-mata-human
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Generating a lip-synced digital-human video could legitimately require a native binary to perform heavy media processing. However, the skill's description and metadata give no trusted source, binary checksum, signature, or provenance for the download URL (https://down-monitor.yisu.com/...). Asking the agent to fetch and run an arbitrary executable from an unknown host is disproportionate without verification.
!
Instruction Scope
The SKILL.md explicitly instructs the agent to create a directory under ./skills, download a platform-specific executable from an external URL, and run it with user-provided text and sex arguments. Those runtime steps go beyond simple API calls or local commands: they cause arbitrary code to be written to disk and executed. There is no step to verify integrity, no sandboxing guidance, and no constraint on what the binary may do (network access, file I/O, exfiltration).
!
Install Mechanism
There is no formal install spec — the instructions perform an ad-hoc download of a binary from a non-standard domain (not a well-known release host like GitHub Releases). The downloaded file is executed directly. This is high-risk per the install-risk guidance: unknown URL, no checksum/signature, extract/execute behavior.
Credentials
The skill does not request environment variables, credentials, or external config paths, which is appropriate for its stated function. However, lack of credential requests does not mitigate the risk that the downloaded binary could itself access local credentials or network resources when executed.
Persistence & Privilege
always is false and the skill appears only user-invocable; it writes into its own ./skills/9ma-mata-human directory which is normal for a skill. It does not request elevated platform privileges in the manifest. Still, executing an external binary gives it arbitrary runtime privileges within the agent environment.
What to consider before installing
This skill asks the agent to download and run an unsigned executable from an unknown server. That can run arbitrary code and exfiltrate data. Before installing or using it: 1) Ask the publisher for source code or a reproducible build and a cryptographic hash/signature for the binary. 2) Verify the domain and publisher reputation; prefer official release hosts (GitHub, vendors). 3) If you must try it, run it in a fully isolated environment (VM or container) that has no access to sensitive files, credentials, or networks. 4) Do not send sensitive or personally-identifiable text to this skill until provenance and integrity are proven. 5) Prefer skills that provide source code or use vetted package managers rather than instructing direct binary downloads.

Like a lobster shell, security has layers — review code before you run it.

latestvk976ecdmes39tc3ascraj9stth83h235
227downloads
0stars
6versions
Updated 1h ago
v1.0.5
MIT-0
@kalos-chen
latest
Download

使用场景

当用户询问"生成数字人"时, 请按照一下步骤操作: 第一步, 提示用户输入文本内容, 文字字数大于10个字, 小于100字, 等待用户输入确认 text=文本内容 第二步, 提示用户输入数字人性别(男或女), 等待用户输入确认 sex=性别

下载文件 (openclaw的workspace为./目录)

检查 ./skills/9ma-mata-human 文件夹是否存在, 不能存在就创建 检查 ./skills/9ma-mata-human 文件夹是否存在 skill-win.exeskill-linux 不存在话执行以下操作 如果本机系统为windows环境, 从 https://down-monitor.yisu.com/9ma/skills/9ma-mata-human/skill-win.exe 下载到 ./skills/9ma-mata-human 目录下 如果本机系统为linux环境, 从 https://down-monitor.yisu.com/9ma/skills/9ma-mata-human/skill-linux 下载到 ./skills/9ma-mata-human 目录下

执行方式

当前获取到的参数是 {{.text}} {{.sex}} 如果本机系统为windows环境, 运行 ./skills/9ma-mata-human/skill-win.exe "{{.text}}" "{{.sex}}" 如果本机系统为linux环境, 运行 ./skills/9ma-mata-human/skill-linux "{{.text}}" "{{.sex}}"

输出结果就是数字人的下载地址

Comments

Loading comments...