ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shell Image Video

v1.0.0

RunningHub AI 工作流集成 — 图片换脸、Wan2.2 动作迁移、动作迁移升级版、150帧高清舞蹈视频。Use when asked about face swap, motion transfer, dance video generation, or RunningHub workflows.

0· 695·1 current·1 all-time
by@lygjoey
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The description and SKILL.md target RunningHub face-swap and motion-transfer workflows, which legitimately require a RunningHub API key and media tools. However, the skill metadata declares no required environment variables or binaries while the SKILL.md explicitly lists RUNNINGHUB_API_KEY, ffmpeg, and ImageMagick. That mismatch is incoherent: a RunningHub integration should declare the API key requirement up front.
!
Instruction Scope
The runtime instructions tell the agent to run node scripts under ~/.openclaw/workspace/Shell-openclaw-image-video-skill and to call a Workflow API path. But there are no code files in the bundle and no install step to create those scripts or the workspace. The instructions also embed a literal API key value ('7192bd7ed2654d1dbfa24ef0c8576705'), which is a credential present in the docs rather than obtained from the user's environment. Together, missing scripts + embedded key + unspecified network host / endpoints are red flags.
Install Mechanism
There is no install spec (instruction-only), which keeps disk/write risk low. However, because the instructions depend on local node scripts that are not present and on third-party binaries, the skill as provided cannot function as-is. The absence of an install mechanism is inconsistent with the usage instructions.
!
Credentials
The SKILL.md asks for RUNNINGHUB_API_KEY and external binaries (ffmpeg, ImageMagick) — these are reasonable for this functionality — but the skill metadata did not declare these requirements. Additionally, an apparent API key is embedded in the document as '已预配置', which is poor practice and may expose a credential of unknown provenance; using that key blindly risks leakage, misuse, or unexpected billing. The skill should declare required env vars explicitly and not embed credentials in docs.
Persistence & Privilege
The skill does not request always:true or other elevated persistence. It is user-invocable and allows model invocation (default), which is normal. There is no evidence it modifies other skills or system settings.
What to consider before installing
Do not install or enable this skill as-is. The SKILL.md references node scripts and a workspace path that are not included in the bundle and lists required env vars/binaries that the registry metadata does not declare. Also note the hard-coded API key in the instructions — never trust or use embedded credentials of unknown origin. Ask the publisher to (1) provide the referenced code or a proper install spec, (2) remove the embedded API key and instead require the user to supply RUNNINGHUB_API_KEY explicitly, (3) declare required binaries and environment variables in metadata, and (4) document the RunningHub host/endpoints and privacy/billing implications. Until these are resolved, treating the skill as untrusted is safest; avoid uploading sensitive face data to unknown endpoints and rotate any leaked credentials immediately.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fxxyf0xbsdnext7rj304cbx83tb9m
695downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
@lygjoey
latest
Download

Shell Image & Video Skill

RunningHub AI 工作流集成 - 图片换脸 + 视频动作迁移

工具位置

~/.openclaw/workspace/Shell-openclaw-image-video-skill/

4个工作流

1. 图片换脸

cd ~/.openclaw/workspace/Shell-openclaw-image-video-skill
node scripts/runninghub-face-swap.js --face=./photo.jpg --prompt="场景描述"
# 或用URL
node scripts/runninghub-face-swap.js --faceUrl="https://..." --prompt="场景描述"
  • 生成时间:~3分钟
  • 输出:output/ 目录下 JSON(含图片URL)

2. Wan2.2 动作迁移

node scripts/wan22-animate.js --video=drive.mp4 --reference=face.jpg

可选参数:--fps=30 --width=720 --height=1280 --elasticity=0.6 生成时间:10-15分钟

3. 动作迁移升级版(表情+动作)

node scripts/motion-pro.js --video=dance.mp4 --reference=target.jpg

可选参数:--duration=5 --skipSeconds=0 --fps=30 --width=928 --height=1664 生成时间:15-20分钟

4. 150帧高清舞蹈

node scripts/dance-150.js --video=dance.mp4 --reference=dancer.jpg

可选参数:--faceEnhance=2 --duration=5 --skipSeconds=2 --fps=30 --intensity=1 生成时间:20-25分钟

Workflow API 工作流(5个数字人/对比工作流)

以下工作流使用 Workflow API(/openapi/v2/run/workflow/),需要 instanceType=plus

5. 图片对比 GIF/视频

node scripts/image-compare.js --image1=before.jpg --image2=after.jpg

生成时间:2-5分钟

6. InfiniteTalk 数字人口播

node scripts/infinitetalk.js --image=portrait.jpg
node scripts/infinitetalk.js --image=portrait.jpg --audio=speech.mp3

生成时间:5-15分钟

7. HeyGem + TTS 数字人视频

node scripts/heygem-tts.js --image=face.jpg --audio=voice.mp3 --text="你好,欢迎来到我的频道"

需要:人像 + 5-10秒语音样本 + 文案(中/英/日) 生成时间:10-20分钟

8. 单人数字人生成

node scripts/single-digital-human.js --image=person.jpg --audio=audio.mp3

生成时间:~5分钟

9. 口播加长版(无限时长)

node scripts/lipsync-extended.js --image=portrait.jpg --audio=long-speech.mp3

人和动物都可以口播,无时长限制 生成时间:10-30分钟

API Key

已预配置:7192bd7ed2654d1dbfa24ef0c8576705

注意

  • 视频素材建议 720p+
  • 视频时长建议 5-10秒(太长容易崩)
  • 费用:图片约0.05-0.1元/次,视频约0.5-2元/次

常见错误与处理

错误原因处理
task_id not foundRunningHub 任务超时或不存在等待 30s 后重试,最多 3 次
image too large输入图片超过 10MBconvert 压缩到 5MB 以内
workflow not available工作流离线/排队提示用户稍后重试
HTTP 429API 限流等 60s 后重试

使用示例

图片换脸

用户: "把这张照片换成 xxx 的脸"
→ 上传图片 → 调用 face-swap 工作流 → 返回结果图

动作迁移

用户: "把这个舞蹈动作迁移到另一个人身上"
→ 上传参考视频 + 目标图片 → motion-transfer 工作流 → 返回视频

依赖

  • RunningHub API Token(环境变量 RUNNINGHUB_API_KEY
  • ffmpeg(视频处理)
  • ImageMagick(图片压缩)

Comments

Loading comments...