DubbingHub
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private or sensitive videos may leave the local environment and be processed by the external provider.
The skill clearly discloses that user-provided video content or a video URL is sent to a third-party service.
Base URL 固定为:`https://audiox-api-global.luoji.cn` ... `video`:二进制视频文件 ... `video_url`:可访问的 `http(s)` 视频链接
Use the skill only for videos you are comfortable uploading to the disclosed service, and review the provider's privacy terms before sending sensitive content.
Anyone with the key could potentially submit translation jobs or consume service quota under the user's account.
The skill requires a bearer API key for the video translation service, which is expected for this integration but gives the service account-level authority such as quota use.
`api_key`:请求头 `Authorization: Bearer <api_key>` ... 必须设置环境变量 `VIDEO_TRANSLATE_SERVICE_API_KEY`
Store the API key as a protected environment variable, use a dedicated or revocable key if available, and avoid pasting the key into prompts or shared logs.
If the agent infers a video-translation request, it may use the skill without a separate manual launch step.
The skill permits the agent to invoke it implicitly when it matches the user's request. This is purpose-aligned, but it matters because invocation can upload the selected video or URL.
policy: allow_implicit_invocation: true
For sensitive media, explicitly confirm before asking the agent to translate or dub the video, or configure the environment to require manual approval if desired.
Users have less independent context for verifying the publisher or project before trusting the service and providing an API key.
The registry metadata provides limited provenance for the skill, although the included artifacts are small and coherent.
Source: unknown Homepage: none
Verify the provider domain and support/privacy links out of band before using the skill with a real API key or sensitive videos.