Pipixia Drama Producer
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill mostly matches its video-production purpose, but it deserves review because one video-sending script can treat a crafted filename as code while also using Feishu credentials to post media.
Use this only if you intend the agent to create media and post it to Feishu. Set Feishu credentials with least privilege, confirm the destination chat_id and media before sending, and patch or avoid send_video.sh with untrusted filenames until the python3 -c interpolation issue is fixed.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A maliciously crafted video filename could cause local code to run when the agent sends the video, beyond the intended ffprobe duration check.
The user-supplied video path is expanded directly into Python source passed to python3 -c. A filename containing quote characters and Python syntax could alter the generated code instead of being treated only as a file path.
VIDEO_FILE="$1" ... python3 -c "... subprocess.run(['$FFPROBE_BIN', ... ,'$VIDEO_FILE'], capture_output=True, text=True)"
Refactor this duration check to pass the filename as an argv value or environment variable to Python, not by string interpolation; also avoid processing untrusted filenames until fixed.
If these credentials are broad or the wrong chat_id is used, the agent could post files or audio to unintended Feishu chats.
The skill requires Feishu app credentials with message and file permissions so it can upload and send media.
`FEISHU_APP_ID` ... `FEISHU_APP_SECRET` ... 飞书应用权限要求:`im:message:send`、`im:file`、`im:image`
Use a Feishu app with the narrowest practical permissions, store the secret securely, and verify the target chat_id before sending.
Running the send script publishes media to a Feishu group using the app’s authority.
The script uploads a selected local video and sends it to the supplied Feishu chat_id. This is expected for the skill, but it is an immediate external posting action.
curl -sf -X POST "https://open.feishu.cn/open-apis/im/v1/files" ... -F "file=@${VIDEO_FILE};type=video/mp4" ... /im/v1/messages?receive_id_type=chat_idRequire explicit user confirmation of the file, cover image, and chat_id before invoking the send scripts.
Users may not see the required tools, network/API use, or credential need before installing or invoking the skill.
The registry metadata under-declares dependencies and credentials that SKILL.md and the scripts require, including Feishu credentials and local media tools.
Required binaries: none; Required env vars: none; Primary credential: none; No install spec — this is an instruction-only skill.
Declare FEISHU_APP_ID, FEISHU_APP_SECRET, ffmpeg/ffprobe, edge-tts, curl, and the Feishu network endpoint in the skill metadata or install requirements.