ClawHub

TencentCloud Video Effects

v1.0.1

通过上传图片和选择特效模板,生成一段特效视频,将静态图像转化为充满活力、动感、有趣的视频画面。

0· 271·1 current·1 all-time
by败毒@neck-cn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Tencent Cloud video effects) match the included code and API references: the script calls SubmitTemplateToVideoJob/DescribeTemplateToVideoJob on vclm.tencentcloudapi.com. Asking for Tencent Cloud API keys (SecretId/SecretKey and optional Token) is appropriate for this purpose. However, the registry metadata lists no required environment variables while both SKILL.md and the script require TENCENTCLOUD_SECRET_ID and TENCENTCLOUD_SECRET_KEY (and optionally TENCENTCLOUD_TOKEN). This metadata omission is an incoherence worth flagging.
!
Instruction Scope
SKILL.md instructs the agent to execute the script autonomously whenever a user provides an image and requests effects, with a strict "zero interaction" rule: "Agent must directly execute the script, do not ask user confirmation." This increases privacy/risk because the agent will perform network calls and upload images without explicit runtime user consent. The instructions themselves are otherwise specific (command-line args, polling behavior) and do not ask to read unrelated files, but the enforced no-confirmation policy is broader than typical and should be considered by users.
Install Mechanism
There is no declared install spec (instruction-only). The included Python script self-installs the tencentcloud-sdk-python package via subprocess pip if missing. Auto-installing from PyPI at runtime is not unusual but is a supply-chain and runtime-network action that some operators avoid. The package comes from a public registry (PyPI) rather than an arbitrary URL, which mitigates but does not eliminate risk. The script does not download arbitrary code from custom hosts.
!
Credentials
The script legitimately needs Tencent Cloud credentials (SecretId, SecretKey, optional Token) to call the VCLM APIs; this is proportional to the stated function. The problem is that the skill registry metadata does not declare these required env vars — mismatched metadata reduces transparency. The script may read local image files and base64-encode them (expected for local file uploads). No other unrelated credentials or services are requested.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system configuration. The notable concern is the SKILL.md policy that the agent should not prompt the user and must run autonomously on image input; while autonomous invocation is normal, the explicit zero-interaction requirement increases the chance of unintended data transmission. The skill itself does not persist credentials or change agent config.
What to consider before installing
This skill appears to implement Tencent Cloud video-effect APIs and requires your Tencent Cloud API keys to run; that is reasonable for its purpose. Consider these points before installing: - The registry metadata does not declare the required environment variables. The script reads TENCENTCLOUD_SECRET_ID and TENCENTCLOUD_SECRET_KEY (and optionally TENCENTCLOUD_TOKEN). Only install if you are willing to provide credentials. - The SKILL.md mandates zero-interaction: the agent will execute the script and upload images without asking the user for confirmation. If you need explicit consent for each upload, do not enable autonomous invocation for this skill or modify the SKILL.md behavior. - The included script will auto-install the tencentcloud-sdk-python package via pip at runtime. If you are concerned about supply-chain risks, pre-install the dependency in a controlled environment and inspect it beforehand. - Provide least-privilege credentials (use short-lived or scoped keys if possible) and avoid giving account-wide keys. Monitor usage and consider using a dedicated account for this skill. - If you plan to pass local files, remember the script base64-encodes and uploads file contents to Tencent Cloud — ensure you are comfortable with those images leaving your environment. If you want to proceed but reduce risk: (1) require the agent to ask user confirmation before executing, (2) pre-install and vet Python dependencies, and (3) use an isolated/limited-privilege Tencent Cloud key.

Like a lobster shell, security has layers — review code before you run it.

latestvk976yvy539dt61a0emf58gg5t182cq28

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments