ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

08 Video Merge

v1.0.3

Locally merges video clips, dubbing audio, SRT subtitles, and background music into a 9:16 vertical short video ready for publishing.

0· 136·1 current·1 all-time
by@ghwyever
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description promise full local merging (video + audio + SRT + music, 9:16 output). However, the shipped code (skill.js) contains no media processing, no downloads, and no invocation of tools like ffmpeg; it only returns a static path and message. Required binaries/credentials are none, which is inconsistent with a true local media-processing task that would normally require ffmpeg or similar.
!
Instruction Scope
SKILL.md describes a pure-local merging workflow and lists expected inputs (video_url, audio_url, subtitle_url). The runtime instructions do not ask for unrelated files or secrets, but the actual runtime (skill.js) does not implement any of the described steps. This is scope mismatch: instructions promise behavior that the code does not carry out.
Install Mechanism
There is no install spec and only a tiny instruction+code file; nothing is downloaded or written to disk by an installer. This low-install footprint reduces risk.
Credentials
The skill requests no environment variables, credentials, or config paths — which is consistent with the provided (non-functional) code. If the skill were implemented, it would likely require local binaries or temporary file access; those are not requested now.
Persistence & Privilege
No elevated privileges or persistent 'always' installation is requested. The skill is user-invocable and does not claim to modify other skills or system settings.
What to consider before installing
This skill is a stub: it advertises local video merging but the code does not do any merging — it only returns a static filename. Do not rely on it to process media. Before installing or using it: (1) ask the author for a real implementation (look for calls to ffmpeg or other media libraries and explicit file download/cleanup logic); (2) require the skill to declare required binaries (e.g., ffmpeg) and temporary file paths; (3) inspect any future code for network endpoints, uploads, or external dependencies; and (4) test in a sandboxed environment. If you want a working merge skill, insist on a complete implementation that clearly documents required tools, permissions, and where output files are written.

Like a lobster shell, security has layers — review code before you run it.

latestvk975h42p24xyb5acfvfs84f83x84kpjr
136downloads
0stars
4versions
Updated 1w ago
v1.0.3
MIT-0
@ghwyever
latest
Download

视频合成技能

功能介绍

将视频、音频、字幕一键合成为 9:16 竖屏成品短剧。

输入参数

  • video_url:视频地址(必填)
  • audio_url:音频地址(必填)
  • subtitle_url:字幕地址(可选)

输出结果

  • final_video_url:最终成片地址

使用场景

  • 短剧最终合成发布
  • 批量产出可发布视频
  • 一键成片自动化

技术说明

纯本地运行,无需API、无需模型配置。

Comments

Loading comments...