Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

zeelin-script-gen-skill 剧本生成

v1.0.0

剧本生成技能V4,将文本文件(小说/故事)转换为完整的影视分镜剧本。当用户说'生成剧本'、'小说转剧本'、'创建分镜'、'影视改编'等并上传文本文件时使用此技能。

0· 31·0 current·0 all-time
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The declared registry metadata lists no required env vars and only python3 as a binary, but the SKILL.md expects the user to supply a Zeelin App-Key (a secret) via templates/config.json and references a service_url (http://47.98.180.113:8081). The skill's described purpose (convert uploaded text into a script) does justify uploading files and calling an external API, but the secret-handling approach (storing App-Key in a config file) and the presence of a hard-coded raw IP as the default service_url are unexpected and inconsistent with the metadata.
!
Instruction Scope
Instructions explicitly tell the agent to read local files and upload the file contents to an external service (service_url at raw IP 47.98.180.113) and to place the App-Key into templates/config.json. Reading & uploading the user's uploaded text is required for the feature, but storing a secret in a skill file and uploading potentially sensitive user files to an external endpoint (and OSS) are scope-expanding operations the user should understand and consent to. The skill also mandates polling behavior and strict presentation formatting, which is fine functionally but not a security problem by itself.
Install Mechanism
There is no install spec in the registry (instruction-only), which is lowest risk. However, the SKILL.md metadata lists pip dependencies (flask, requests, oss2). That is inconsistent with the registry's 'no install' stance and with a client-only skill (flask is a server-side dependency and unexpected for a client uploader). Because there is no automatic install spec, no packages will necessarily be pulled — but the discrepancy is noteworthy and could result in future unexpected installations if the agent honors the metadata.
!
Credentials
The skill requires a Zeelin App-Key to operate, but the registry declares no required environment variables or primary credential. The SKILL.md asks users to paste the App-Key into a local templates/config.json file (plaintext), rather than using an explicitly-declared environment variable or secret store. This is disproportionate to the transparency provided by the metadata and increases the risk of accidental credential exposure.
Persistence & Privilege
The skill does not request system-wide privileges, is not always-enabled, and does not claim to modify other skills or system settings. It does ask the user/agent to write the App-Key into its templates/config.json (its own files), which is permitted behavior but should be done deliberately.
What to consider before installing
This skill likely does what it says (uploads a user file to an external service and returns a generated script) but there are several red flags you should consider before installing: 1) The skill asks you to put your Zeelin App-Key directly into templates/config.json; prefer storing secrets in an environment variable or a secure secret store rather than in plaintext files. 2) The default service_url is a raw IP (http://47.98.180.113:8081) — confirm this endpoint and the operator (skills.zeelin.cn is referenced too). Verify TLS/HTTPS is used and review the service's privacy/security policy before uploading sensitive text. 3) The SKILL.md metadata lists pip packages including flask (a server framework) which is unexpected for a client-only uploader; be cautious if an installer later attempts to install additional packages. 4) Test the skill with non-sensitive sample files and a throwaway App-Key or account first; confirm where uploaded files are stored, retention policy, and billing implications. If you need the skill, ask the author/provider to: (a) declare the App-Key requirement in metadata, (b) support reading the App-Key from a secure env var, and (c) use a verified domain with HTTPS rather than a raw IP.
!
templates/config.json:4
Install source points to URL shortener or raw IP.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📝 Clawdis
Binspython3
latestvk97ejevqs8cj307rmnv7y61m8n859km1
31downloads
0stars
1versions
Updated 15h ago
v1.0.0
MIT-0

剧本生成技能 V4

技能说明

这个技能帮助用户将文本文件(小说、故事等)自动转换为完整的影视分镜剧本,包括角色档案、剧集大纲和分镜脚本。

功能:将文本内容自动转换为结构化的影视分镜剧本。


使用方法

注意:以下示例使用 curl 展示请求格式,实际由 OpenClaw 工具调用执行,无需手动执行命令。

第一步:首次使用配置

使用本技能前,需要配置智灵平台的 App-Key。

步骤 1:注册智灵账号

步骤 2:创建应用

  • 登录后进入控制台 → 应用管理
  • 点击"创建应用",填写应用名称
  • 复制生成的 App-Key

步骤 3:配置到技能

  • 打开本 Skill 的配置文件:templates/config.json
  • 将复制的 App-Key 粘贴到 Zeelin_App_Key 字段
  • 保存文件,重新触发本技能即可使用

配置示例:

{
  "Zeelin_App_Key": "xxxxxxxxxxxxxxxxxxx",
  "Zeelin_Api_Url": "https://skills.zeelin.cn",
  "Zeelin_Website_Url": "https://skills.zeelin.cn",
  "service_url": "http://47.98.180.113:8081"
}

第二步:上传文本文件到 OSS

接口: POST {service_url}/api/skill/upload

请求格式: multipart/form-data (不是 JSON!)

参数:

参数名位置类型必填说明
appKeyform-datastring用户的 Zeelin_App_Key
fileform-datafile本地文本文件二进制数据

示例请求:

curl -X POST "http://47.98.180.113:8081/api/skill/upload" \
  -F "appKey=YOUR_APP_KEY" \
  -F "file=@/path/to/novel.txt"

成功响应:

{
  "code": 200,
  "data": {
    "oss_url": "https://jumuai.oss-cn-hangzhou.aliyuncs.com/...",
    "filename": "novel.txt",
    "size": 123456
  }
}

⚠️ 文件限制

  • 最大 50MB
  • 格式:PDF、DOCX、TXT、MD

第三步:提交剧本生成任务

接口: POST {service_url}/api/skill/script

请求格式: application/json

Header:

参数名类型必填说明
App-Keystring用户的智灵应用 Key

Body 参数:

参数名类型必填说明
ossstring上传后返回的 OSS 文件链接
episode_duration_minutesint每集时长(分钟),默认 2
episode_count_minint最少集数,默认 10
episode_count_maxint最多集数,默认 15

示例请求:

curl -X POST "http://47.98.180.113:8081/api/skill/script" \
  -H "Content-Type: application/json" \
  -H "App-Key: YOUR_APP_KEY" \
  -d '{
    "oss": "https://jumuai.oss-cn-hangzhou.aliyuncs.com/...novel.txt",
    "episode_duration_minutes": 2,
    "episode_count_min": 10,
    "episode_count_max": 15
  }'

成功响应:

{
  "code": 200,
  "message": "任务已提交,处理中",
  "data": {
    "task_id": "script_xxx",
    "status": "pending"
  }
}

第四步:轮询查询任务状态(必须执行)

⚠️ 剧本生成时间较长,请耐心等待!

轮询策略(根据进度动态调整,节省额度):

当前进度查询间隔说明
< 70%(33% 人物提取、66% 大纲审核)每 3 分钟处理初期和中期,耐心等待
≥ 70%(接近 100% 完成)每 1 分钟接近完成,缩短间隔及时获取结果
最多轮询 40 分钟-长文本可能需要较长时间

⚠️ 费用提示:剧本生成涉及多次 AI 调用,使用智灵模型时频繁查询会产生费用,建议严格按上述间隔查询。

告诉用户的提示语

  • 提交时:"剧本生成任务已提交,预计处理 15-30 分钟,请稍候..."
  • 33% 时:"当前进度 33%,人物提取完成,正在审核大纲..."
  • 66% 时:"当前进度 66%,大纲审核完成,正在生成分镜剧本..."
  • 完成时:"剧本生成完成!"并展示 result

示例指令(模型执行)

# 第一次查询(提交后立即)
curl "http://47.98.180.113:8081/api/skill/status/script_xxx"
→ 返回 progress=33(人物提取完成)
→ 告诉用户:"当前进度 33%,人物提取完成,正在审核大纲..."
→ sleep 180  # 等待 3 分钟

# 第二次查询
curl "http://47.98.180.113:8081/api/skill/status/script_xxx"
→ 返回 progress=66(大纲审核完成)
→ 告诉用户:"当前进度 66%,大纲审核完成,正在生成分镜..."
→ sleep 180  # 等待 3 分钟

# 第三次查询
curl "http://47.98.180.113:8081/api/skill/status/script_xxx"
→ 返回 progress=100, status=succeeded
→ 告诉用户:"剧本生成完成!"并展示结果
  最后生成一个 md 文件来让用户进行查看

结果展示格式(Markdown)

⚠️ 重要:获取到 result 后,必须将结果格式化为 Markdown 展示给用户,不要直接返回原始 JSON!

格式化要求

  • 使用 Markdown 标题层级(# ## ###)组织内容
  • 使用表格展示结构化数据
  • 添加适当的 emoji 图标增强可读性
  • 根据实际返回的数据结构灵活调整格式
  • 如果某些字段为空,可以省略对应章节
  • 不要编造数据,只展示 result 中实际存在的内容
  • 最后给用户呈现结果时生成一个 md 文件来让用户进行查看

展示内容顺序

  1. 📌 标题和基本信息

    • 作品标题
    • 总集数
  2. 👥 角色档案

    • 角色名称、角色定位(男主/女主/配角等)
    • 角色描述(外貌、性格、特点)
  3. 📋 剧集大纲

    • 题材类型
    • 世界观设定
    • 每集的故事节拍、大事件、关键冲突与转折
  4. 🎬 分镜剧本(展示前 2-3 个分镜)

    • 分场信息
    • 情绪曲线
    • 每个镜头的场景、画面描述、台词、角色

完整调用流程

用户: "生成剧本" + 上传文本文件
  ↓
OpenClaw: 读取本地文本文件
  ↓
OpenClaw: 1️⃣ POST {service_url}/api/skill/upload
          Content-Type: multipart/form-data
          Body: appKey=xxx&file=文件二进制
  ↓
Skill服务: 接收文件 → 上传OSS → 返回 oss_url
  ↓
OpenClaw: 2️⃣ POST {service_url}/api/skill/script
          Headers: App-Key={Zeelin_App_Key}
          Content-Type: application/json
          Body: {"oss": "...", "episode_duration_minutes": 2, "episode_count_min": 10, "episode_count_max": 15}
  ↓
Skill服务: 验证额度 → 扣费 → 提交AI任务 → 返回 task_id
  ↓
OpenClaw: 3️⃣ 轮询 GET {service_url}/api/skill/status/{task_id}
          根据进度动态间隔查询(3分钟/1分钟)
  ↓
OpenClaw: 展示剧本生成结果给用户(Markdown 格式)

费用说明

服务类型计费标准示例
剧本生成120额度/万字8000字=120额度,15000字=240额度

计费规则

  • 按字数向上取整到万字(如8500字按1万字计)
  • 提交任务时扣除额度,任务失败自动返还
  • 额度从您的智灵账户中扣除

常见问题

Q: App-Key 格式是什么?
A: 任意字符串,从 config.json 的 Zeelin_App_Key 字段读取。

Q: 上传接口的 appKey 放哪里?
A: 放在 form-data 里(appKey=xxx),不是 Header!

Q: 支持多大的文本文件?
A: 单文件最大 50MB。

Q: 支持哪些文本格式?
A: PDF、DOCX、TXT、MD。

Q: 任务失败会扣费吗?
A: 不会。任务失败时自动返还已扣除的额度。

Q: 上传的文件会保留吗?
A: 临时文件上传到服务器配置的 OSS,24 小时后自动过期清理。


技术支持

Comments

Loading comments...