Byted Las Video Edit

Key points to consider before installing/using: - Metadata mismatch: The registry claims no required env vars but SKILL.md and scripts/skill.py require LAS_API_KEY (plus optional LAS_REGION / LAS_API_BASE). Ask the provider to update registry metadata so you know what secrets you'll need to supply. - Credential safety: Only provide a LAS_API_KEY that is scoped/minimal for this service; avoid reusing long-lived or broadly privileged keys. Prefer creating a dedicated key for this skill and be prepared to revoke it if needed. - env.sh and working directory: The script will try to read env.sh in the current working directory if LAS_API_KEY is not in the environment. Do not place unrelated secrets in env.sh. Run the skill from a directory that contains only the intended env.sh or use environment variables instead. - Network behavior: The script performs DNS resolution to block private IPs and then sends URLs (and the API key in Authorization header) to the documented operator endpoints. Confirm those endpoints (operator.las.cn-beijing.volces.com / operator.las.cn-shanghai.volces.com or your explicit LAS_API_BASE) are expected. Because the operator may fetch referenced URLs (e.g., reference images or tos:// paths), avoid passing URLs that expose internal resources you don't want the operator to access. - Provenance & trust: Source/owner is unknown. If you need higher assurance, request the upstream source repository, a signed release, or a vendor statement. Consider running the script in an isolated environment (container or VM) and testing with a non-production API key first. - Ask for small fixes: Request that the package registry metadata be corrected to declare LAS_API_KEY and optional env vars, and ask the maintainer to document the minimum required key permissions. If you can't obtain these assurances, treat installation as higher risk.