Pipixia Drama Producer
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: pipixia-drama-producer Version: 1.1.0 The skill bundle provides a legitimate workflow for generating, editing, and publishing short videos to Feishu. The scripts (send_audio.sh, send_video.sh, mix_audio.py) use standard tools like ffmpeg and curl to interact with the Feishu API and process media, with no evidence of data exfiltration, malicious execution, or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A maliciously crafted video filename could cause local code to run when the agent sends the video, beyond the intended ffprobe duration check.
The user-supplied video path is expanded directly into Python source passed to python3 -c. A filename containing quote characters and Python syntax could alter the generated code instead of being treated only as a file path.
VIDEO_FILE="$1" ... python3 -c "... subprocess.run(['$FFPROBE_BIN', ... ,'$VIDEO_FILE'], capture_output=True, text=True)"
Refactor this duration check to pass the filename as an argv value or environment variable to Python, not by string interpolation; also avoid processing untrusted filenames until fixed.
If these credentials are broad or the wrong chat_id is used, the agent could post files or audio to unintended Feishu chats.
The skill requires Feishu app credentials with message and file permissions so it can upload and send media.
`FEISHU_APP_ID` ... `FEISHU_APP_SECRET` ... 飞书应用权限要求:`im:message:send`、`im:file`、`im:image`
Use a Feishu app with the narrowest practical permissions, store the secret securely, and verify the target chat_id before sending.
Running the send script publishes media to a Feishu group using the app’s authority.
The script uploads a selected local video and sends it to the supplied Feishu chat_id. This is expected for the skill, but it is an immediate external posting action.
curl -sf -X POST "https://open.feishu.cn/open-apis/im/v1/files" ... -F "file=@${VIDEO_FILE};type=video/mp4" ... /im/v1/messages?receive_id_type=chat_idRequire explicit user confirmation of the file, cover image, and chat_id before invoking the send scripts.
Users may not see the required tools, network/API use, or credential need before installing or invoking the skill.
The registry metadata under-declares dependencies and credentials that SKILL.md and the scripts require, including Feishu credentials and local media tools.
Required binaries: none; Required env vars: none; Primary credential: none; No install spec — this is an instruction-only skill.
Declare FEISHU_APP_ID, FEISHU_APP_SECRET, ffmpeg/ffprobe, edge-tts, curl, and the Feishu network endpoint in the skill metadata or install requirements.