ClawHub

UGC Manual

v1.0.2

Generate lip-sync video from image + user's own audio recording. ✅ USE WHEN: - User provides their OWN audio file (voice recording) - Want to sync image to specific audio/voice - User recorded the script themselves - Need exact audio timing preserved ❌ DON'T USE WHEN: - User provides text script (not audio) → use veed-ugc - Need AI to generate the voice → use veed-ugc - Don't have audio file yet → use veed-ugc with script INPUT: Image + audio file (user's recording) OUTPUT: MP4 video with lip-sync to provided audio KEY DIFFERENCE: veed-ugc = script → AI voice → video ugc-manual = user audio → video (no voice generation)

2· 947·1 current·1 all-time
byPaul de Lavallaz@pauldelavallaz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The script implements exactly what the description says: it uploads an image and converted audio to ComfyDeploy, queues a specific deployment, polls for completion, and downloads the MP4. Requiring an API key for ComfyDeploy (COMFY_DEPLOY_API_KEY) is coherent with this purpose. However, the registry metadata claims 'Required env vars: none' and 'Required binaries: none' while the code requires COMFY_DEPLOY_API_KEY and ffmpeg; that metadata mismatch is unexpected.
Instruction Scope
Runtime instructions and code stay within the expected scope: they may download audio from a provided URL, convert audio locally with ffmpeg, upload files to https://api.comfydeploy.com, queue a workflow using a fixed deployment ID, poll status, and download the resulting video. The agent is instructed to send user-provided image/audio to a third-party service (ComfyDeploy) — this is necessary for the stated workflow but is an important privacy/transfer decision and should be made explicit to users.
Install Mechanism
There is no install spec (instruction-only with included scripts). A pyproject.toml lists only the 'requests' dependency. No third-party binary download or obscure URL extraction is used. Running the script executes local ffmpeg and Python requests calls; the install surface is low but the script will perform network I/O at runtime.
!
Credentials
The code requires a single environment variable COMFY_DEPLOY_API_KEY (used to authenticate file uploads and workflow queueing), which is proportionate to the functionality. However, the skill's declared requirements in the registry do not list this credential (metadata states 'none'), creating an inconsistency. The missing declaration makes it harder for users to know what secrets they must provide and trust.
Persistence & Privilege
The skill is not configured as always: true and does not request persistent/system-level privileges. It only uses one environment variable and does not modify other skills or global agent configuration.
What to consider before installing
Key things to check before installing or running: - Metadata mismatch: the package metadata claims no required env vars/binaries, but the script requires COMFY_DEPLOY_API_KEY and ffmpeg. Expect to supply an API key and have ffmpeg available. - Data privacy: the script uploads user-provided images and audio to https://api.comfydeploy.com and queues a fixed deployment ID. If your audio or image is sensitive or private, do not use this skill unless you trust ComfyDeploy and understand their retention/privacy policy. - Verify API key provenance: only provide COMFY_DEPLOY_API_KEY if you obtained it from a trusted ComfyDeploy account; otherwise the key could be misused to upload/queue jobs under your account. - Source provenance: the skill lists no homepage and the owner is not human-readable. If provenance is important, request the upstream source or inspect the repo before use. - Testing suggestion: run the script in a sandbox or with non-sensitive sample media first. Confirm network endpoints, deployment ID, and resulting behavior match expectations. - If you need offline or local-only processing (no upload), do not use this skill — it is designed to use ComfyDeploy and will transmit media off your machine. If you want, I can extract the exact places the code will contact the network and show the minimal set of commands/requests it will make, or help you modify the script to use a different endpoint or to run locally if available.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dc7hc362vc77s9wpdzdrwj9811407

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments