Zyt avatar
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use your Chanjing API credentials and cache an access token locally; if CHANJING_API_BASE is changed to an untrusted host, those credentials could be sent there.
The helper sends locally stored Chanjing app_id and secret_key to the configured API base to obtain an access token. This is expected for the integration, but it is sensitive account authority.
API_BASE = os.environ.get("CHANJING_API_BASE", "https://open-api.chanjing.cc") ... data=json.dumps({"app_id": app_id, "secret_key": secret_key})Use a dedicated Chanjing API credential, keep CHANJING_API_BASE at the official URL unless intentional, and protect the local credentials file.
Private videos, audio, or text prompts may be processed by Chanjing and exposed through a remote result URL.
The documented workflow sends user-provided video and audio to the Chanjing API and returns a provider-hosted result. This is central to the skill purpose and is disclosed.
Upload the source avatar video and optional driving audio to obtain `file_id` ... On success, return the remote video URL from the API response
Only upload media you are comfortable sending to Chanjing, and review the provider’s privacy and retention terms for sensitive content.
Some documented commands may fail or tempt users to look for replacement scripts elsewhere.
SKILL.md documents several executable helper scripts, while the provided manifest contains only SKILL.md and scripts/_auth.py. This is a packaging/provenance gap, not evidence of malicious behavior.
| `chanjing-config` | write or inspect local `app_id` / `secret_key` configuration | ... | `upload_file` | upload a local file ... | `create_task` | create a lip-sync task ... | `poll_task` | poll task status
Use only scripts supplied by a trusted package source, and ask the publisher to include or document the missing helpers.