Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
hehe-ddc
v1.0.1抖音视频自动生成 - 图片 + 文案→视频,支持 Edge TTS 男女声、逐行字幕、随机 BGM、智能时长适配
⭐ 0· 55·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The declared purpose (generate short marketing videos) matches the code and docs, but the package metadata/registry entry stated no required binaries/env yet the code expects ffmpeg and the 'edge-tts' CLI (also listed in clawhub.json). There are also inconsistent path and name references (e.g., config/default.json and README refer to 'video-auto' while the skill slug is 'ddc'), which suggests sloppy configuration or copy-paste errors.
Instruction Scope
SKILL.md and the included scripts perform expected tasks (TTS generation, subtitle creation, BGM selection/download, ffmpeg processing, optional copy to a Windows path). However the runtime instructions and script reference and access system paths outside the skill directory (WORK_DIR = ../../../../..../workspace-kaifa/quick-test and default image/output paths under /home/openclaw/.openclaw/...), which can read/write user files unrelated to the skill. The code downloads BGM from external URLs and calls an unauthenticated Baidu TTS endpoint as a fallback — network activity is expected for this skill but should be acknowledged.
Install Mechanism
There is no install spec (instruction-only + Python script). That minimizes supply-chain install risk because nothing is automatically fetched/installed by the skill installer itself. Still, the script expects external tools/packages (edge-tts CLI, ffmpeg, Python packages) which must be present on the host.
Credentials
The skill requests no environment variables or credentials, which is appropriate. However it does expect network access (to Pixabay and Baidu) and local filesystem access beyond the skill folder (see WORK_DIR/BGM_DIR and hard-coded default paths). These filesystem path accesses are disproportionate to a self-contained skill and could expose other user files if those paths exist on the host.
Persistence & Privilege
The skill does not request 'always:true' and does not declare changes to other skills or global agent settings. Its runtime actions are limited to local file reads/writes, spawning ffmpeg/edge-tts, and HTTP downloads — normal for a video generator.
What to consider before installing
Before installing or running this skill: 1) Inspect scripts/generate.py yourself — pay attention to WORK_DIR and BGM_DIR which point outside the skill folder (could read/write files in /workspace-kaifa/quick-test/out). 2) The package requires ffmpeg and the edge-tts CLI plus Python packages (aiohttp, requests) even though the registry metadata showed none; install those from trusted sources first. 3) Expect outbound network calls (Pixabay CDNs, Baidu TTS fallback) — run in an environment where that is allowed. 4) Review and update config/default.json to remove any hard-coded local paths or sensitive data (the default contains absolute paths and sample promo text with prices). 5) If you cannot review the code, run it in a sandboxed VM/container with limited network and filesystem access. 6) If you need higher assurance, ask the author for clarification about the external WORK_DIR usage and for a cleaned-up config that uses only the skill directory.Like a lobster shell, security has layers — review code before you run it.
latestvk975h7v0479t65h9e81dsjzmn184crjx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.