VideoClaw Pro

This skill's functionality (read Feishu doc/wiki, generate clip scripts, write back) is coherent, but there are two red flags you should consider before installing: 1) Hardcoded credentials: videoclaw_lib.py contains APP_ID and APP_SECRET inside the repository. That means the skill will use the author's/owner's Feishu service account to access documents. If you follow the skill's steps (sharing docs with the robot), those documents become accessible to that external account. Only proceed if you trust the skill author and understand that private content will be accessible to their robot. 2) Missing dependency/credential declarations: the metadata lists no required env vars or binaries, but the code needs Python packages (requests, lark_oapi, python-docx) and network access. The skill also forbids using the built-in feishu_doc tool and forces using the included CLI, increasing reliance on the embedded credentials. Recommendations before installation: - Ask the author to remove hardcoded APP_SECRET and instead require the operator to provide credentials via environment variables (declared in requires.env), or to use an OAuth flow that uses the user's own app credentials. - If you cannot get that change, do not share private documents with the robot; instead test with non-sensitive docs. - Verify the APP_ID belongs to a trusted owner (ask for the organization or app registration details) and request an explanation why the built-in feishu_doc tool couldn't be used. - Ensure required Python dependencies are installed in a controlled environment before running the CLI. If the author can provide a version that uses the user’s own credentials (or the platform's built-in feishu_doc tool) and lists dependencies, the concerns would be largely resolved. If the APP_SECRET here is confirmed malicious or unknown and the author refuses to remove it, treat the skill as untrusted.