Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Video Dubbing
v1.2.0🎯 **唯一使用VoxCPM的中文配音技能** - 外语视频一键中文配音,支持硬字幕检测、断点续传、智能BGM。触发场景:(1) 用户需要给外语视频配音 (2) 视频翻译需求 (3) 多语言内容本地化
⭐ 0· 99·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The main scripts (dubbing, add_bgm) and SKILL.md align with a video-dubbing/TTS workflow and require a translation API key and a VoxCPM model directory; however the registry metadata claims no required env vars while SKILL.md and the scripts expect TRANSLATE_API_KEY and VOXCPM_DIR. That mismatch between declared registry requirements and the runtime configuration is inconsistent and should be clarified.
Instruction Scope
SKILL.md and scripts perform typical tasks for the stated purpose (whisper transcription, translation API calls, TTS, ffmpeg processing). However scripts/dubbing.py and upload_bilibili.py access system files and make network calls: upload_bilibili.py loads credentials from a hardcoded absolute path (D:/openclaw_workspace/credentials/bilibili.json) and invokes a hardcoded ffmpeg path (E:/ImageMagick.../ffmpeg.exe). Those file reads and absolute-path accesses are outside the core dubbing purpose and represent scope creep (access to local credential stores).
Install Mechanism
There is no automated install spec (instruction-only). The README/SKILL.md instructs installing Python packages and cloning VoxCPM — reasonable and proportionate for a local TTS/transcription tool. Nothing in the install instructions downloads arbitrary executables from unknown servers.
Credentials
The runtime expects TRANSLATE_API_KEY and VOXCPM_DIR (declared in SKILL.md and used in scripts) which are reasonable. But upload_bilibili.py reads Bilibili credentials from a hardcoded system path not declared as required, and also references absolute local tools; these imply the package expects access to unrelated secrets on the host. The skill also defaults API endpoints to api.siliconflow.cn — users should verify trustworthiness of that external service before supplying keys.
Persistence & Privilege
The skill does not request always:true and has no install hooks that would force persistent system presence. It is instruction-only plus included scripts; autonomous invocation is allowed by default (normal), but there is no evidence of the skill attempting to modify other skills or system-wide settings.
Scan Findings in Context
[HARD_CODED_CRED_PATH] unexpected: scripts/upload_bilibili.py opens a hardcoded credentials file at D:/openclaw_workspace/credentials/bilibili.json. A dubbing skill should not require or assume a specific host-local credentials file. This is unexpected and possibly unsafe.
[ABSOLUTE_LOCAL_EXEC_PATH] unexpected: upload_bilibili.py invokes a hardcoded local ffmpeg path under E:/ImageMagick-7.1.1-Q16-HDRI/ffmpeg.exe. Relying on absolute local paths is fragile and may indicate the script was tailored to a single developer environment.
[NETWORK_CALLS] expected: scripts/dubbing.py uses requests.post to call translation and vision APIs (api.siliconflow.cn) which is expected for translation/vision tasks. Users should review which external endpoints will receive text and images (and whether keys will be sent).
[SUBPROCESS_EXEC] expected: Both add_bgm.py and dubbing.py use ffmpeg via subprocess; this is expected for video/audio processing.
What to consider before installing
Before installing or running: 1) Treat TRANSLATE_API_KEY as sensitive — confirm you trust the default external endpoint (https://api.siliconflow.cn) or change it to a provider you control. 2) Inspect and edit scripts/upload_bilibili.py: it reads credentials from a hardcoded Windows path and uses absolute ffmpeg paths — remove or modify this script if you do not want it to access local secrets or upload automatically. 3) If you don't need Bilibili upload functionality, delete upload_bilibili.py from the package. 4) Run the tool in an isolated environment (container or VM) and supply configuration via config.json or environment variables rather than relying on defaults. 5) Verify VoxCPM model installation location (VOXCPM_DIR) and do not place secrets in predictable paths. If any behavior is unclear, ask the skill author to explain why local credential paths are used and to provide a safe configuration option.Like a lobster shell, security has layers — review code before you run it.
latestvk9735tmxjdyfq0h5cmd2rzssrs83w2am
License
MIT-0
Free to use, modify, and redistribute. No attribution required.