ZeeLin-video-analysis 视频拉片
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill’s video-analysis purpose is coherent, but it sends uploaded videos and an App-Key to an unverified raw-IP HTTP service.
Review this skill carefully before installing. It may be useful for video analysis, but only proceed if you trust the Zeelin service, can verify the raw-IP endpoint, accept the quota costs, and are comfortable uploading the selected video and App-Key to that backend.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private videos and the service key could be exposed to or mishandled by an endpoint the user cannot easily verify.
The skill directs OpenClaw to upload a local video file and the user’s App-Key to a raw-IP HTTP endpoint, creating an unclear and unencrypted sensitive data boundary.
curl -X POST "http://47.98.180.113:8083/api/skill/upload" ... -F "appKey=YOUR_APP_KEY" ... -F "file=@/path/to/local/video.mp4"
Only use non-sensitive videos unless the provider confirms the endpoint, uses HTTPS on a trusted domain, and explains retention and access controls.
Users may not be able to confirm who operates the backend or whether it is the intended Zeelin service.
The backend service is configured as an HTTP raw IP rather than a verifiable provider domain, leaving a provenance gap for the service that receives uploaded data.
"service_url": "http://47.98.180.113:8083"
Prefer a documented HTTPS domain and provider-owned endpoint before installing or using the skill.
Anyone with access to the config file may be able to use the user’s Zeelin quota or account access.
The skill expects a real provider App-Key in a local config file; this is purpose-aligned but should be treated as a credential.
"Zeelin_App_Key": "你的真实AppKey"
Store the App-Key carefully, rotate it if exposed, and verify the skill’s credential requirement before use.
A submitted task can consume paid or limited service credits.
Submitting the video-analysis task spends account quota. This is disclosed and purpose-aligned, but it is still a high-impact API action.
Skill服务: 验证额度 → 扣费 → 提交AI任务 ... 提交任务时扣除额度
Confirm the expected cost and video duration before allowing the agent to submit the analysis task.
The agent may remain active for a long-running video job after submission.
The skill instructs the agent to keep polling for up to an hour; this is bounded and task-related, not hidden persistence.
最多轮询 60 分钟 ... sleep 300 # 等待 5 分钟
Make sure long polling is acceptable, and stop the task if you no longer want the analysis to continue.