ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Pipeline

v3.0.0

对话式AI短视频创作工具。用户提出想法 → agent 设计脚本 → 人工确认 → 自动制作MP4。 当用户提到:(1) 做个视频/短视频, (2) AI旁白视频, (3) 认知自述/播客风格视频, (4) 文稿转视频。 不要在用户仅提到"视频"、"TTS"、"语音"等模糊词时激活(可能是其他需求)。

1· 126·0 current·0 all-time
by@mydearzsy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The code implements a video pipeline that calls VolcEngine (即梦AI) for video, Volc podcast TTS, and MiniMax for music — all coherent with the stated purpose. However the skill registry metadata declares no required environment variables or binaries, while the code clearly expects VOLC_* keys, VOLC_APP_ID/ACCESS_KEY/APP_KEY, MINIMAX_API_KEY, and system tools (ffmpeg/ffprobe). That mismatch is inconsistent and disproportionate.
Instruction Scope
SKILL.md describes a four‑phase workflow and instructs the agent to run build_video.py to produce MP4. The runtime instructions mention '通过飞书发送 MP4 给用户' (send via Feishu), but I found no Feishu integration code in the repository — delivery step is claimed but not implemented. Other runtime actions (reading styles from ~/.openclaw/skills/..., running build pipeline, generating and caching subs/bgm) are implemented and consistent with the stated task.
!
Install Mechanism
There is no install specification (instruction-only), which lowers installer risk, but the code requires many native binaries and Python packages (ffmpeg/ffprobe, OpenCV, moviepy, PIL, websockets, requests, volcenginesdkcore, funasr, etc.) that are not declared. This makes the skill likely to fail or require manual environment changes — a practical and operational risk.
!
Credentials
The environment variables used (VOLC_ACCESS_KEY_ID, VOLC_SECRET_KEY, VOLC_APP_ID/ACCESS_KEY/APP_KEY, MINIMAX_API_KEY and proxy envs) are appropriate for the external services the code calls, so their presence is understandable. The problem is the skill metadata did not declare these required credentials. That omission is misleading and increases the chance a user will accidentally supply sensitive keys without realizing which skill needs them.
Persistence & Privilege
always is false and the skill does not request platform-wide privileges. The code caches outputs (bgm/ files, subs.json) under the skill directory and writes to a work_dir (/tmp/video-poc) — normal for a media pipeline. It does not modify other skills or global agent settings.
What to consider before installing
This skill appears to implement what it promises (automatic TTS → video clip generation → compose), but there are several practical and security concerns you should consider before installing or running it: - Missing declared requirements: The registry metadata lists no required env vars or binaries, but the code needs VOLC_* keys (即梦AI / 火山播客), MINIMAX_API_KEY, ffmpeg/ffprobe, and multiple Python packages. Treat the metadata as incomplete; expect manual environment setup. - External network access: The skill connects to external endpoints (wss://openspeech.bytedance.com for TTS, visual.volcengineapi.com for video generation, api.minimaxi.com for music). Those are necessary for functionality, but supplying credentials gives the skill the ability to call those services on your behalf — provide the minimum-privilege keys and monitor usage/billing. - Delivery mismatch: SKILL.md says the produced MP4 will be sent via Feishu, but I found no Feishu integration in the code. Clarify how the agent will deliver the file in your deployment (or implement/inspect the delivery code) before trusting it with private outputs. - Dependency & runtime risk: The skill relies on native binaries (ffmpeg, ffprobe) and many Python libs (OpenCV, moviepy, websockets, funasr, volcenginesdkcore). Run in a sandbox or test environment first; do not run as a privileged user. - Storage & caching: Generated BGMs and subs are persisted under the skill directory and bgm/ — check disk usage and where files are stored if that matters for privacy/compliance. Recommendations: 1. Ask the publisher/owner for an updated manifest listing required env vars and Python/system dependencies, and for confirmation about Feishu delivery. 2. If you must test, do so in an isolated environment or container, and provide only least-privileged API keys (rotate them after testing). 3. Verify billing impacts on the external services (即梦AI per-second cost, MiniMax generation) before running at scale. 4. Inspect/replace the delivery code or disable auto-sending until you confirm how outputs are transmitted. Because of the metadata/code mismatches and missing dependency declarations, treat this skill as 'suspicious' until those gaps are resolved.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dz16m6m0dabarc1j49snm4s8462ff

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments