ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AI Animation Studio

v2.1.1

自动将用户故事转分镜、画面和动画生成视频,支持多风格、自动配音、字幕和背景音乐选择。

0· 101·0 current·0 all-time
by@systiger
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (story→storyboard→images→video) matches the code: it calls a doubao media script, ffmpeg, and local resource libraries. However SKILL.md declares an ARK_API_KEY requirement while the registry metadata lists no required env vars, and the code hardcodes absolute paths (C:\Users\10954\.openclaw\workspace\skills\doubao-media\..., D:\AI视频资源\...) tied to the author's machine. Requiring access to another skill's workspace and a D: resources folder is surprising and disproportionate to a reusable skill implementation — a legitimate skill would use relative/installation-aware paths or configurable resource dirs.
!
Instruction Scope
Runtime instructions and code invoke external scripts (doubao_media.py) and ffmpeg (expected for media work) but also scan and read user filesystem resources under D:\AI视频资源 (resource_index.py loads Excel/CSV and enumerates media). That can expose arbitrary filenames and contents in a broad local directory. The SKILL.md and code do not document allowing the user to choose the resource root (it's hardcoded), so the skill may access more of the host filesystem than a user would expect.
Install Mechanism
There is no install spec (instruction-only install), which lowers distribution risk. However the skill package includes Python code that will run on the host. No remote download URLs are used, but the code executes subprocesses (python scripts and ffmpeg) — normal for this domain but worth auditing locally before execution.
!
Credentials
SKILL.md lists ARK_API_KEY (豆包/ARK API) as required, but the registry metadata lists no required environment variables — that's an inconsistency. The code itself does not read generic secrets from env vars, but relies on another skill (doubao-media) and an external API key; giving an API key should be deliberate. Also the skill expects access to the user's D: resource directory and to a doubao-media script in an absolute workspace path — both are broad privileges that should be configurable.
Persistence & Privilege
The skill does not request always:true or other elevated persistent privileges. It does not modify other skills' configs in the provided code. Autonomous invocation is allowed (platform default) but is not combined with other high-risk flags here.
What to consider before installing
What to consider before installing: - Mismatch: SKILL.md says you need ARK_API_KEY (豆包/ARK) but the skill metadata lists no required env vars. Treat any request to provide that API key carefully — only provide it if you trust the doubao/ARK service and the skill. - Hardcoded absolute paths: The code uses C:\Users\10954\.openclaw\workspace\skills\doubao-media\scripts\doubao_media.py and D:\AI视频资源\... — these will try to read your D: drive resources and a specific workspace path. Confirm or change the resource path and the doubao-media script location to avoid unintended file access. - Local filesystem access: resource_index.py scans and loads many files (Excel/CSV/media) under D:\AI视频资源. If you keep sensitive files under that path, the skill could read them. Run the skill in a sandbox or change RESOURCE_DIR to a dedicated folder you control. - Dependencies: The skill depends on doubao-media and edge-tts; inspect those skills before granting permissions. The skill invokes external scripts and ffmpeg via subprocess — audit them, and ensure ffmpeg is the expected binary on PATH. - Copyright/legal risk: BGM list includes recognizable commercial song names. Ensure you have rights to use any music before publishing videos. - Code quality / minor bugs: create_animation.py references random.choice but does not import random at top — indicates limited testing; be prepared for runtime errors. Recommendations: 1) Do not install blindly. Inspect and (if needed) modify the code to replace absolute paths with configurable options. 2) Provide ARK/豆包 API key only if necessary and in a least-privilege manner; prefer scoped credentials or test without keys first. 3) Run in an isolated environment (VM/container) or with a dedicated resource folder to avoid accidental scanning of personal files. 4) Review/verify the doubao-media and edge-tts skills and any third-party binaries (ffmpeg) the skill calls. If you want, I can: (a) point out the exact lines that reference hardcoded paths and the undeclared env var, (b) produce a small patch to make resource dir and doubao script path configurable, or (c) generate a checklist for secure testing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cdx5cn22j2bjazr0mhqw19h83v53j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments