ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Huo15 Comic Edit

v0.1.0

FFmpeg 把 lipsync 视频按顺序 concat + 叠 BGM + 烧字幕 + 0.3s 淡入淡出,输出 final.mp4。触发词:视频拼接、成片合成、FFmpeg 拼接。

0· 27·0 current·0 all-time
byJob Zhao@zhaobod1

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for zhaobod1/huo15-comic-edit.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Huo15 Comic Edit" (zhaobod1/huo15-comic-edit) from ClawHub.
Skill page: https://clawhub.ai/zhaobod1/huo15-comic-edit
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install huo15-comic-edit

ClawHub CLI

Package manager switcher

npx clawhub@latest install huo15-comic-edit
Security Scan
Capability signals
CryptoCan make purchasesRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
SKILL.md and scripts/edit.py describe a purely local FFmpeg-based workflow (concat, mix BGM, burn subtitles). However the bundle includes a shared ark_api.py, config.py, cost_guard.py and other shared modules that interact with external cloud APIs (Ark/Seedream/Seedance/TTS) and expect an ARK_API_KEY. Those cloud-capability files are unnecessary for the stated local editing task and are not declared in the skill requirements, which is an incoherence.
Instruction Scope
The runtime instructions in SKILL.md match edit.py: reading project-dir files (lipsync/S*.mp4 or videos/, audio/, bgm.mp3, script.json), producing concat.mp4/final.mp4, and invoking local ffmpeg. edit.py uses subprocess.run to call ffmpeg and writes files under the project directory; it does not perform network activity. The instructions are appropriately scoped to local files, but the presence of ark_api and other cloud helpers in the package is outside that scope.
Install Mechanism
No install spec (instruction-only/install-free) is provided, so nothing is downloaded or installed automatically. This lowers install-time risk. However the registry metadata does not declare ffmpeg as a required binary even though SKILL.md and edit.py require ffmpeg ≥ 5.0 — a metadata omission.
!
Credentials
Registry metadata declares no required environment variables, but included code (scripts/_shared/ark_api.py) expects ARK_API_KEY and would raise if used. That environment access is not justified by the skill's described local FFmpeg purpose. While edit.py itself does not use any env vars or credentials, having secret-using modules bundled in the package is disproportionate to the stated function.
Persistence & Privilege
The skill does not request always:true and has no install actions that modify global settings. The code writes checkpoint and cost files only under the provided project directory (./.checkpoint.json, ./.cost.json), which is consistent with an editing workflow and not an elevated privilege.
What to consider before installing
This package will run a local Python script (scripts/edit.py) that calls your system ffmpeg to concat videos, add BGM, and burn subtitles; that part is coherent and appears safe if you trust the files in the project directory. However the bundle also contains unrelated shared modules (ark_api.py, config.py, cost_guard.py) that reference remote cloud APIs and an ARK_API_KEY — those are unnecessary for the local task and increase the attack surface. Before installing or running: 1) confirm you have and trust ffmpeg installed (SKILL metadata should list it but does not); 2) inspect scripts/edit.py yourself (it is short and uses subprocess to run ffmpeg); 3) remove or ignore the _shared modules if you only need the local editor, or run the tool in an isolated environment (VM/container) to limit risk; 4) do not set or expose any ARK_API_KEY or other credentials to this skill unless you specifically want cloud features and trust the source; 5) ask the publisher why cloud API code is bundled and why ffmpeg is not declared in requirements. If you can't verify these, avoid using the skill on sensitive systems or data.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d6ed46swz4c3szxp2kyb68985ngc9
27downloads
0stars
1versions
Updated 21h ago
v0.1.0
MIT-0
Job Zhao@zhaobod1
latest
Download

火15 漫剧-成片拼接 Skill

所有片段 → 一条 final.mp4。纯本地 FFmpeg,无 API 成本。

输入 / 输出

python scripts/edit.py --project-dir output/demo

读取:

  • lipsync/S*.mp4(或 fallback 到 videos/S*.mp4
  • audio/S*_*.wav(对白,与视频混入)
  • bgm.mp3(整片 BGM)
  • script.json(取对白文本+时间戳生成字幕)

输出:final.mp4

工作流

  1. 拼接视频:ffmpeg concat demuxer,按 scene id 顺序
  2. 生成字幕:从 script.json 计算每条对白的起止时间(按镜头 5s 均摊)→ subtitle.srt
  3. 混音:对白 + BGM(-20dB) + 原视频音轨(-6dB)
  4. 烧字幕:ffmpeg subtitles filter,国风样式(宋体/描边)
  5. 转场:相邻镜头 0.3s crossfade(可选)

字幕样式(subtitle.ass)

[V4+ Styles]
Format: Name, Fontname, Fontsize, PrimaryColour, OutlineColour, Bold, Outline, Alignment, MarginV
Style: Default,Source Han Serif SC,48,&H00FFFFFF,&H00000000,1,3,2,120

依赖

  • 系统装 ffmpeg ≥ 5.0
  • 字体:Source Han Serif SC(思源宋体)

Comments

Loading comments...