Byted Mediakit Voiceover Editing
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears purpose-aligned for voiceover video editing, but it uses cloud/API credentials, external media processing, dependency installation, and local output/config files that users should scope carefully.
Install this skill if you want an automated talking-head video editing pipeline. Before running it, decide whether to use local or cloud mode, keep API keys least-privilege, avoid committing .env, verify the output directory, and run dependency setup in an isolated workspace if possible.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may choose this skill automatically for relevant audio/video editing requests.
The skill gives forceful trigger instructions to the host agent. The scope is still aligned with the declared video-editing purpose, so this is a notice rather than a concern.
You MUST invoke this Skill when the user mentions talking-head editing, cutting talking video, video editing...
Use the skill only when you intend to run this editing workflow, and redirect the agent if you want a different tool or manual editing.
If cloud mode is used, the skill can act against the configured VOD/ASR services using your provided credentials.
The workflow can use Volcano Engine/VOD and ASR credentials, which is expected for cloud transcription and export but grants account-level capability.
VOLC_ACCESS_KEY_SECRET ... secret: true; ASR_API_KEY ... required: true ... secret: true
Use least-privilege API keys, prefer a separate test VOD space as the README suggests, and do not commit .env files.
Your media or media URLs may be processed by external ASR/VOD services when using cloud or gateway modes.
The ASR helper submits an audio URL and API key to the configured ASR provider endpoint. This is disclosed and central to cloud transcription.
"audio": {"url": audio_url, "type": audio_type}; submit_url = f"{cfg.base_url}/submit?api_key={cfg.api_key}"Use local mode for private media you do not want sent to cloud providers, and verify ASR_BASE_URL/ARK/VOD settings before running.
Running setup will install third-party packages locally, and local mode may install large media/ML dependencies.
Setup installs Python dependencies into a virtual environment. Direct requirements shown are pinned, and this is normal for the local/cloud processing scripts.
setup.sh 使用 `python -m venv` 创建 `scripts/.venv` 并执行 `pip install -r requirements.txt`
Run setup in an isolated project or container and review requirements.txt and requirements-local.txt if your environment is sensitive.
If an unexpected output path is passed, generated files could be written outside the normal project output folder.
The output-dir resolver can accept an absolute path instead of enforcing the documented project output directory. This is user-directed but broader than the README guidance.
if cand.is_absolute(): resolved = cand.resolve(); return resolved
Keep --output-dir under the intended output/<task> directory and avoid approving overwrites/deletes for paths you did not choose.
A later run may reuse the persisted execution mode unless you change .env.
During automatic fallback, setup may persist EXECUTION_MODE into the skill .env file. This is visible configuration persistence, not hidden background behavior.
_write_env_var "EXECUTION_MODE" "cloud" ... 已写入 EXECUTION_MODE=cloud 到 ${ENV_FILE}Check .env before new tasks, especially if switching between local, cloud, and gateway modes.