Security checks across malware telemetry and agentic risk
The skill appears to be a real video-dubbing utility, but users should review it because it needs a full Douyin session cookie and its “fully local” wording understates external AI/TTS data sharing.
Install only if you are comfortable using a throwaway Douyin account cookie, rotating it after use, and having transcript/translated text sent to the AI agent and whichever TTS provider you choose. Run it in a dedicated environment, avoid private videos, and treat the Edge TTS header patching and unpinned dependencies as review points rather than hidden malware.
)
tts_track = workdir / "tts_track.mp3"
subprocess.run(
[FFMPEG, "-y"] + inputs + [
"-filter_complex", ";".join(filter_parts),
"-map", "[aout]",ass_path_fwd = str(ass_path).replace("\\", "/").replace(":", "\\:")
sub_filter = f"subtitles='{ass_path_fwd}':fontsdir='C\\:/Windows/Fonts'"
subprocess.run([
FFMPEG, "-y",
"-i", str(video), "-i", str(tts_track),
"-filter_complex",# Delay tăng dần: lần 1 = 2-4s, retry = 5-10s để tránh rate limit
delay = 2.0 + random.uniform(1.0, 2.0) if attempt == 0 else 5.0 + random.uniform(2.0, 5.0)
_time.sleep(delay)
r = subprocess.run([_sys.executable, "-c", script],
capture_output=True, text=True,
env={**os.environ, "PYTHONUTF8": "1"})
if r.returncode == 0 and out_path.exists() and out_path.stat().st_size > 100:req.add_header("xi-api-key", api_key)
req.add_header("Content-Type", "application/json")
req.add_header("Accept", "audio/mpeg")
with urllib.request.urlopen(req, timeout=30) as resp:
out_path.write_bytes(resp.read())# Delay tăng dần: lần 1 = 2-4s, retry = 5-10s để tránh rate limit
delay = 2.0 + random.uniform(1.0, 2.0) if attempt == 0 else 5.0 + random.uniform(2.0, 5.0)
_time.sleep(delay)
r = subprocess.run([_sys.executable, "-c", script],
capture_output=True, text=True,
env={**os.environ, "PYTHONUTF8": "1"})
if r.returncode == 0 and out_path.exists() and out_path.stat().st_size > 100:65/65 vendors flagged this skill as clean.