Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
LH Video Gen
v1.0.0Generate vertical short videos (9:16) from a Markdown script. Parses script sections, generates TTS audio, renders subtitle cards, and composites into MP4 wi...
⭐ 3· 2k·12 current·12 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description align with the shipped code: generate.py parses Markdown, produces TTS audio (via a local TTS tool or a user-supplied TTS command), renders HTML slides (via headless Chrome) and composes video with FFmpeg. No unrelated env vars or services are requested.
Instruction Scope
SKILL.md instructs the agent to run the provided script and to optionally set CHROME_PATH or EDGE_TTS_PATH; those are relevant. One non-security note: the templates and script encourage/contain hard-coded branding and SEO guidance (e.g., requiring core keywords and the phrase to promote "关注刘贺同学" and '龙虾哥' branding). That is scope creep for content (not a technical mismatch) and may be undesired by some users.
Install Mechanism
No install spec or external downloads are present; this is an instruction+code skill that relies on locally installed FFmpeg and Chrome. Nothing is extracted from arbitrary URLs or installed automatically.
Credentials
The skill requests no secrets or special environment variables. It optionally reads CHROME_PATH and EDGE_TTS_PATH to locate local binaries/scripts — these are proportional and documented. The script may detect and invoke a sibling ../lh-edge-tts script if present; that behavior is expected for optional integration but the referenced script should be trusted.
Persistence & Privilege
always is false and the skill does not request persistent platform privileges. It writes temporary files under a tmp directory near the output path and cleans some temporary files; it does not modify other skills or system-wide settings.
Assessment
This skill appears coherent and performs only local operations (reads your Markdown, writes temp files, runs local Chrome/FFmpeg and an optional local TTS tool). Before installing or running:
- Ensure FFmpeg and Chrome are installed from trusted sources.
- If you rely on the auto-detected ../lh-edge-tts script, verify that script is trusted: the skill will execute it (it runs python on that script). Malicious or untrusted code in that sibling path could run on your machine.
- If you pass a custom --tts-command, be careful: the skill runs that string with a shell (shell=True). Only use trusted TTS commands and avoid passing untrusted templates that could execute additional shell operations.
- The provided HTML templates contain hard-coded branding and SEO guidance (promotional phrases). If you don’t want those, edit the templates before generating videos.
- The skill reads your input Markdown and writes audio/image/video files under a tmp folder next to your output; do not include secrets in the script content if you are concerned about local file storage.
Overall: technically coherent for its stated purpose. The main operational risks are executing a local sibling TTS script and running user-supplied shell commands for TTS — verify those components are trusted before use.Like a lobster shell, security has layers — review code before you run it.
latestvk97ee7xhan8pt9rtxna6rmnjax828vwm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.