Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
short-video-content-replicator
v1.0.1一键端到端短视频内容复制工作流。输入抖音/B站视频URL或本地视频目录,严格按6步顺序执行:1. link-resolver-engine 下载视频;2. mp4-to-mp3-extractor 提取MP3;3. purevocals-uvr-automator 提取干声;4. turbo-whisper-lo...
⭐ 0· 39·0 current·0 all-time
by顶尖王牌程序员@wangminrui2022
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to orchestrate six atomic skills by invoking their CLI scripts. That purpose aligns with the commands shown, but the package contains only SKILL.md/README/.gitignore and does not declare or bundle the referenced atomic skills or their dependencies. The absence of declared dependencies for a Python-script-driven pipeline is an incoherence: a real orchestrator would at minimum document required runtimes and the atomic skills it depends on.
Instruction Scope
Runtime instructions tell the agent to execute Python scripts under ./skills/<name>/scripts/ and to run a 'replicate' CLI, but those scripts/CLI are not part of this bundle and the SKILL.md does not explain how they are provided. The instructions otherwise stay within the pipeline purpose (download → audio → vocals → STT → correction → punctuation) and do not ask to read unrelated system files or environment variables.
Install Mechanism
There is no install spec (instruction-only), which minimizes direct install risk. However, being instruction-only increases reliance on the agent environment containing the referenced tools; that environmental dependency is not declared.
Credentials
The skill requests no environment variables or credentials, which is appropriate. However it fails to declare required binaries/runtimes (e.g., Python) even though every command uses 'python'. It also implicitly depends on potentially large model files and other atomic skills (Whisper models, FunASR, UVR), but provides no guidance about those files or their locations.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. It does not attempt to modify other skills or global agent configuration in the provided instructions.
What to consider before installing
This skill is an orchestrator that expects many local Python scripts and models to already exist, but the package you reviewed contains only documentation — it does not include the referenced ./skills/<name>/scripts/ tools nor declare required runtimes (Python) or model/config locations. Before installing or running it: (1) verify the exact source of the atomic skills it calls and only use them if they come from trusted repositories; (2) ensure Python and any required ML models are present and installed securely; (3) confirm what the 'replicate' CLI is and where it comes from; (4) consider legal/copyright risks of downloading and reproducing content from Douyin/Bilibili. If the author cannot provide the missing dependencies or a trustworthy package that includes or declares them, treat this skill as incomplete and avoid running it.Like a lobster shell, security has layers — review code before you run it.
latestvk978nhekcxy785gctt7rb1e2jx847qg6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.