基于需求描述智能生成脚本和视频,让你的每个营销视频都出彩。适用于用户希望“把这个需求直接生成视频”时,通过API自动生成结果而非人工撰写。
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill matches its video-generation purpose, but it contains a hard-coded dashboard access token, making the account permissions and responsibility for generated videos unclear.
Only use this skill if you are comfortable sending video requirements and optional image URLs to xiaonian.cc, and ask the publisher to remove and rotate the hard-coded token or provide a documented, user-controlled authentication method before relying on it.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Videos may be generated under a shared or publisher-controlled dashboard account, and the embedded token could be abused or revoked unexpectedly.
The script embeds a bearer-style dashboard token and uses it automatically when no environment token is provided. This gives the skill account-level authority whose owner, scope, rotation, and limits are not clear to the user.
DEFAULT_TOKEN = "atk_ajhh..."; token = os.getenv("DASHBOARD_TOKEN") or DEFAULT_TOKENRemove the hard-coded token, rotate it, and require a clearly declared user- or service-scoped credential with least-privilege permissions and documented data handling.