Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Seedance + Waoo 短视频流水线
v1.1.4自动化短视频工作流(story-to-video pipeline):从剧本/分镜到生成、字幕 ASR、TTS、合并交付,支持 Seedance / Vidu / MiniMax 多厂商路由。
⭐ 1· 104·0 current·0 all-time
by@wusyu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the actual code and instructions: many scripts implement storyboard/prompt generation, first-image, video submit/poll/download, ASR/TTS checks and config guidance. Requiring vendor API keys in the pipeline config (not as environment variables) is expected for a multi-vendor media pipeline.
Instruction Scope
SKILL.md and scripts instruct the agent to read pipeline config/state files, generate artifacts, run local node scripts, spawn helper binaries (ffmpeg/tsx) and call vendor APIs to submit/poll/download media — all within the stated pipeline scope. Checkpoints and user-approval steps are explicit and limit autonomous actions.
Install Mechanism
No install spec; code is instruction-and-script-only. That keeps risk lower because nothing is fetched/installed by an installer step. The code may still download media from configured vendor URLs at runtime (expected behavior).
Credentials
Registry metadata lists no required env vars, and the skill does not demand platform secrets, but it does expect APIKey values inside a JSON pipeline config (config/pipeline.config.json or user-provided path). This is reasonable but note the difference: secrets are stored in config files rather than declared env vars; the skill checks and uses those API keys to call vendor endpoints.
Persistence & Privilege
always is false and the skill is user-invocable. It runs local scripts that read/write files under workspace and may spawn child processes (ffmpeg/node); this is expected for a media pipeline and does not request system-wide persistent privileges.
Assessment
This skill appears to do what it says, but before installing:
- Review and supply pipeline config (config/pipeline.config.json). The skill expects vendor 'API Key' fields in that config; treat them as secrets.
- Only put API keys for vendors you trust into the config; don't paste unrelated credentials.
- The runtime will read/write files in the workspace and may call out to vendor endpoints to submit/poll/download media. If you want to limit exposure, run it in an isolated/test environment and use test/demo keys first.
- The scripts spawn local binaries (ffmpeg/ffprobe/tsx/node). If you do not want local media processing, ensure those binaries are absent or disabled.
- If you need stronger assurance, inspect any omitted files (remaining 47 files) for network endpoints or unusual code paths; consider running under restricted network or containerized environment.
- Autonomous invocation is allowed by default but the skill's SKILL.md defines explicit checkpoints — still review triggers and only enable runtime autonomy if you are comfortable with that behavior.scripts/_shared.ts:294
Shell command execution detected (child_process).
scripts/continue-after-first-image.cjs:41
Shell command execution detected (child_process).
scripts/continue-seedance-flow.cjs:114
Shell command execution detected (child_process).
scripts/diagnose-environment.cjs:37
Shell command execution detected (child_process).
scripts/merge-final-videos.ts:73
Shell command execution detected (child_process).
scripts/mix-final-video.ts:33
Shell command execution detected (child_process).
scripts/run-seedance-entry.cjs:145
Shell command execution detected (child_process).
scripts/run-seedance-workflow.cjs:40
Shell command execution detected (child_process).
scripts/run-video-submit-chain.cjs:74
Shell command execution detected (child_process).
scripts/self-test-prompt-pack.cjs:17
Shell command execution detected (child_process).
scripts/self-test-workflow-driver.cjs:39
Shell command execution detected (child_process).
scripts/_shared.ts:307
Environment variable access combined with network send.
scripts/_shared.ts:101
File read combined with network send (possible exfiltration).
scripts/download-official-video.cjs:26
File read combined with network send (possible exfiltration).
scripts/generate-first-image-asset.cjs:26
File read combined with network send (possible exfiltration).
scripts/generate-first-image-pack.cjs:38
File read combined with network send (possible exfiltration).
scripts/generate-seedance-pack.cjs:40
File read combined with network send (possible exfiltration).
scripts/poll-official-video.cjs:26
File read combined with network send (possible exfiltration).
scripts/submit-official-video.cjs:26
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
ai-videovk977n1htdfbtwhhbhgtj76rjwd8411v1asrvk977n1htdfbtwhhbhgtj76rjwd8411v1latestvk974af446zb5ky18f7h37erztd842fvhminimaxvk977n1htdfbtwhhbhgtj76rjwd8411v1pipelinevk977n1htdfbtwhhbhgtj76rjwd8411v1seedancevk974af446zb5ky18f7h37erztd842fvhshort-videovk974af446zb5ky18f7h37erztd842fvhstory-to-videovk977n1htdfbtwhhbhgtj76rjwd8411v1storyboardvk974af446zb5ky18f7h37erztd842fvhsubtitlevk977n1htdfbtwhhbhgtj76rjwd8411v1ttsvk974af446zb5ky18f7h37erztd842fvhvideo-automationvk977n1htdfbtwhhbhgtj76rjwd8411v1video-pipelinevk974af446zb5ky18f7h37erztd842fvhviduvk977n1htdfbtwhhbhgtj76rjwd8411v1waoowaoovk974af446zb5ky18f7h37erztd842fvhworkflowvk977n1htdfbtwhhbhgtj76rjwd8411v1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.