ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Huo15 Comic Lipsync

v0.1.0

给视频镜头+对白音频做口型同步(Kling 2.5 Lip Sync)。没有对白的镜头跳过。触发词:对口型、lipsync、口型同步。

0· 27·0 current·0 all-time
byJob Zhao@zhaobod1

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for zhaobod1/huo15-comic-lipsync.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Huo15 Comic Lipsync" (zhaobod1/huo15-comic-lipsync) from ClawHub.
Skill page: https://clawhub.ai/zhaobod1/huo15-comic-lipsync
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install huo15-comic-lipsync

ClawHub CLI

Package manager switcher

npx clawhub@latest install huo15-comic-lipsync
Security Scan
Capability signals
CryptoCan make purchasesRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (Kling lip-sync) matches the code in scripts/lipsync.py which posts video+audio to Kling. However the registry metadata claims no required environment variables while the code requires KLING_API_KEY; that is an incoherence between claimed requirements and actual capability. The bundled shared library also contains an ArkClient that needs ARK_API_KEY if used, but that client is not invoked by lipsync.py.
!
Instruction Scope
SKILL.md shows the local CLI usage and a Kling API example, which aligns with behaviour. But the runtime instructions/code will: (1) read videos and audio from provided directories, (2) upload raw video+audio files to a third‑party endpoint (https://api.klingai.com), (3) download the processed video, and (4) write .checkpoint.json and .cost.json into the project directory. The SKILL.md / registry did not clearly surface the KLING_API_KEY requirement or the fact that raw media will be uploaded off‑device (privacy/billing implication).
Install Mechanism
No install spec; this is a filesystem-bundled skill (code included in scripts/). Nothing is fetched from remote URLs during install. No unexpected installers or archive extraction were observed.
!
Credentials
The skill actually requires a KLING_API_KEY environment variable at runtime (scripts/lipsync.py raises if missing), but the registry metadata lists no required env vars. The shared ark_api.py also expects ARK_API_KEY when instantiated (not used by lipsync), which increases surface area if other code paths are exercised. Requesting API keys is proportionate to the stated function, but omitting them from metadata is a notable inconsistency and a usability/security risk.
Persistence & Privilege
The skill does not request persistent/always-on privileges. It writes outputs and bookkeeping files (.checkpoint.json and .cost.json) under the project/out directories provided by the user — expected for this workflow and limited to the project's directory.
What to consider before installing
Key points before installing or running: - This skill will upload your raw video and audio files to a third‑party service (https://api.klingai.com) using a KLING_API_KEY. That is required at runtime even though the skill metadata didn't declare it — provide a key only if you trust Kling and understand billing/privacy. - The code will create/modify .checkpoint.json and .cost.json in the project directory (out_dir parent). Expect local bookkeeping files and cost tracking. - Billing: the skill charges per‑scene lip‑sync; the code uses pricing in config.py and CostGuard to enforce caps. Test on short/dummy clips first to estimate cost. - Review or sandbox first: if the media contain sensitive content, do not upload until you verify Kling's privacy/retention policy. Consider using throwaway API keys or a service account with minimal privileges and monitor usage. - Metadata mismatch: the registry should declare KLING_API_KEY (and any other required creds). Ask the publisher to correct the metadata or inspect the code yourself before use. If you want, I can: (a) point out the exact lines that require KLING_API_KEY and where uploads occur, (b) suggest a minimal local wrapper to dry‑run without uploading, or (c) produce a checklist of privacy/billing questions to ask the Kling provider.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d7qf8vt3pbvc0gnj7pwde3585nzc0
27downloads
0stars
1versions
Updated 23h ago
v0.1.0
MIT-0
Job Zhao@zhaobod1
latest
Download

火15 漫剧-对口型 Skill

视频 + 音频 → 口型同步后的视频。

输入 / 输出

python scripts/lipsync.py \
  --video-dir output/demo/videos \
  --audio-dir output/demo/audio \
  --out-dir output/demo/lipsync

每个镜头取该镜第一条对白的音频做口型同步;无对白直接复制原视频。

API

POST https://api.kling.com/v1/videos/lip-sync
Headers: Authorization: Bearer {KLING_API_KEY}
Body:
{
  "video_url": "...",
  "audio_url": "...",
  "mode": "kling-v2.5"
}

注意

  • 视频最短 3s,如果对白音频 <3s 自动补静默
  • 单镜成本 ¥3,48 镜 = ¥144(可通过 --no-lipsync 关闭省钱)

Comments

Loading comments...