ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aliyun Videoretalk

v1.0.0

Use when replacing lip sync in existing videos with Alibaba Cloud Model Studio VideoRetalk (`videoretalk`). Use when creating dubbed videos, replacing narrat...

0· 0·0 current·0 all-time
by@cinience
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill name, description, SKILL.md, and the included script all focus on preparing requests for Alibaba Cloud Model Studio VideoRetalk — this is coherent. The SKILL.md documents the correct Alibaba endpoints and model name. However, the registry metadata lists no required environment variables or primary credential even though SKILL.md explicitly says an API key (DASHSCOPE_API_KEY) or a credential entry in ~/.alibabacloud/credentials is required; that metadata omission is inconsistent and should be corrected.
!
Instruction Scope
Most runtime instructions are scoped to preparing/persisting a request JSON and describing how to call Aliyun's async endpoints. But the SKILL.md's validation command references a file path that does not match the provided file layout: it runs python -m py_compile skills/ai/video/aliyun-videoretalk/scripts/prepare_retalk_request.py while the repository provides scripts/prepare_retalk_request.py. That mismatch will cause the validation step to fail unless files are laid out differently at runtime. The instructions also ask you to set DASHSCOPE_API_KEY or add credentials to ~/.alibabacloud/credentials; the skill itself (the included script) does not use those values, but actual API calls to Aliyun would need them — the instructions are correct in that sense but the metadata omission is problematic.
Install Mechanism
There is no install spec — the skill is instruction-only with a small helper script. That minimizes installation risk because nothing arbitrary will be downloaded or written beyond the contained files.
!
Credentials
SKILL.md requires DASHSCOPE_API_KEY or an entry in ~/.alibabacloud/credentials for using the Aliyun VideoRetalk API. The registry metadata, however, lists no required environment variables or primary credential. This mismatch is a red flag: either the metadata is incomplete (expected) or the instructions are asking for credentials that the skill doesn't actually need. The included script does not read secrets, but any real network calls to Aliyun (not included) will need the API key. Also, the instructions suggest writing request files containing the input video/audio URLs — those may include sensitive links that will be stored on disk.
Persistence & Privilege
always is false and the skill does not request persistent/privileged platform presence or modify other skills. It only writes output files under output/aliyun-videoretalk/ by design.
What to consider before installing
This skill appears to do what it says (prepare VideoRetalk request payloads), but there are two issues you should resolve before using it: 1) Metadata vs. docs mismatch: SKILL.md requires an Alibaba DashScope API key (DASHSCOPE_API_KEY) or credentials in ~/.alibabacloud/credentials, but the skill metadata declares no required env vars or primary credential. Ask the publisher to update the metadata to declare DASHSCOPE_API_KEY (or explicitly mark credential usage as optional) so you know what secrets are needed. 2) Validation command/path mismatch: The validation step references skills/ai/video/aliyun-videoretalk/scripts/prepare_retalk_request.py, but the included script is at scripts/prepare_retalk_request.py. Confirm the intended file layout or fix the validation command — otherwise the provided validation will fail. Additional practical guidance: - The included Python script is small and benign (it only builds and writes a JSON payload). The skill itself does not perform network calls, but actual use of the VideoRetalk API will require your Alibaba credentials; limit those credentials to minimal permissions and use short-lived or scoped keys if possible. - Be aware of data privacy: the skill stores input video/audio URLs and the generated request JSON on disk (under output/aliyun-videoretalk/). Those files may contain sensitive links or metadata; review and purge them as needed. - Verify the endpoint domain (dashscope.aliyuncs.com) against Alibaba’s official docs before providing credentials. If the publisher corrects the metadata and fixes the file path in SKILL.md (or documents why it differs), this would likely be coherent and benign. Until then, treat the inconsistencies as suspicious and confirm them with the author before installing or supplying credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eb6j91b40n03zc2td87mhdd8407fw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Category: provider

Model Studio VideoRetalk

Validation

mkdir -p output/aliyun-videoretalk
python -m py_compile skills/ai/video/aliyun-videoretalk/scripts/prepare_retalk_request.py && echo "py_compile_ok" > output/aliyun-videoretalk/validate.txt

Pass criteria: command exits 0 and output/aliyun-videoretalk/validate.txt is generated.

Output And Evidence

  • Save normalized request payloads, target face selection settings, and task polling snapshots under output/aliyun-videoretalk/.
  • Record the exact video/audio input URLs and whether video_extension was enabled.

Use VideoRetalk when the input is already a person video and the job is to replace lip sync with a new speech track.

Critical model names

Use this exact model string:

  • videoretalk

Prerequisites

  • This model currently only supports China mainland (Beijing).
  • API is HTTP async only; there is no online console experience.
  • Set DASHSCOPE_API_KEY in your environment, or add dashscope_api_key to ~/.alibabacloud/credentials.

Normalized interface (video.retalk)

Request

  • model (string, optional): default videoretalk
  • video_url (string, required)
  • audio_url (string, required)
  • ref_image_url (string, optional): target face when input video contains multiple faces
  • video_extension (bool, optional): extend video to match longer audio
  • query_face_threshold (int, optional): 120 to 200

Response

  • task_id (string)
  • task_status (string)
  • video_url (string, when finished)
  • usage (object, optional)

Endpoint and execution model

  • Submit task: POST https://dashscope.aliyuncs.com/api/v1/services/aigc/image2video/video-synthesis/
  • Poll task: GET https://dashscope.aliyuncs.com/api/v1/tasks/{task_id}
  • HTTP calls are async only and must set header X-DashScope-Async: enable.

Quick start

python skills/ai/video/aliyun-videoretalk/scripts/prepare_retalk_request.py \
  --video-url "https://example.com/talking-head.mp4" \
  --audio-url "https://example.com/new-voice.wav" \
  --video-extension

Operational guidance

  • Keep input videos front-facing and close enough for stable face tracking.
  • If the video contains multiple faces, provide ref_image_url to anchor the intended target.
  • If the new audio is longer than the input video, decide explicitly whether to extend the picture track or truncate the audio.
  • URLs must be public HTTP/HTTPS links; local file paths are not accepted by the API.

Output location

  • Default output: output/aliyun-videoretalk/request.json
  • Override base dir with OUTPUT_DIR.

References

  • references/sources.md

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…