视频一站式工作流技能包。整合视频剪辑、转写、烧录、拼接全流程,支持分步执行和用户确认。 包含:(1) auto-editor - 视频剪辑去除静音片段;(2) Faster Whisper + MiniMax LLM - 语音转字幕; (3) ffmpeg - 烧录字幕到视频;(4) FFmpeg 工具箱 - 拼...
Security Analysis
medium confidenceThe bundle largely matches its stated video-processing purpose, but multiple inconsistencies and risky behaviors (automatic pip installs in runtime scripts, undeclared env vars, reliance on an external 'openclaw' CLI and a nonstandard HF mirror) mean you should review and run it in an isolated environment before trusting it.
Name/description match the included code: scripts implement clip → transcribe → burn → concat using ffmpeg, auto-editor and faster-whisper and call an LLM for correction. However the SKILL metadata declared no required env vars while SKILL.md and code require MINIMAX_API_KEY (and the code also supports OPENAI/ANTHROPIC env keys and OPENCLAW_TARGET/OPENCLAW_CHANNEL). This mismatch between declared registry metadata and actual needs is inconsistent.
SKILL.md states optional Feishu notifications and that --install-deps won't run system package installs automatically, but multiple scripts will perform pip installs at runtime (video_clip.py, video_to_text.py) and call the external 'openclaw' CLI to send messages. Scripts also rename original files (mark them _已剪辑) and move files from input locations; these are reasonable for a pipeline but are destructive actions that should be expected and warned about. Notification behavior can leak filenames/processing status to the configured OPENCLAW_TARGET; SKILL.md warns about this, but the runtime sending is unconditional when TARGET is set. The scripts also set a default HF_ENDPOINT to https://hf-mirror.com (a nonstandard mirror) which affects where model downloads/api traffic may go — this is not called out in the top-level requirements.
There is no formal install spec (instruction-only), but several scripts attempt to pip install dependencies at runtime using subprocess (e.g., pip install auto-editor, faster-whisper, requests with --break-system-packages). This contradicts SKILL.md's claim that --install-deps only prints commands and does not perform installs. Automatic pip installs during script execution increase risk and surprise for the user.
SKILL.md and some scripts require MINIMAX_API_KEY, and the code also supports OPENAI_API_KEY and ANTHROPIC_API_KEY though those are not highlighted in the top-level requirements. Scripts use OPENCLAW_TARGET and OPENCLAW_CHANNEL for notifications. Registry metadata states no required env vars — that is inconsistent and understates the credentials the code can access. Requiring LLM keys is proportionate to the correction feature, but undeclared additional keys and notification targets risk leakage if set globally.
The skill is not always-enabled and does not request any special persistent platform privilege. It does call an external 'openclaw' CLI to send notifications (so requires that binary and its credentials), but it does not appear to modify other skills or system-wide agent settings.
Guidance
Key things to consider before installing or running this bundle: - Metadata mismatch: the registry says no env vars required, but the package needs MINIMAX_API_KEY (and can also use OPENAI/ANTHROPIC keys). Do not set API keys globally unless you intend the feature; prefer passing --api-key at runtime. - Automatic installs at runtime: some scripts will attempt to pip install dependencies when executed. If you want full control, run in a disposable virtualenv or container and inspect/approve installs first. - Notifications / possible exfiltration: scripts call an external 'openclaw' CLI to send messages to Feishu and will include filenames and progress. If you set OPENCLAW_TARGET or OPENCLAW_CHANNEL those notifications will go to that target. Keep notifications disabled (--notify false) or avoid setting OPENCLAW_TARGET if you don't want file names sent externally. - Nonstandard HF mirror default: the code sets HF_ENDPOINT to https://hf-mirror.com which may redirect model downloads or API calls to a third-party mirror. If you care where models are downloaded from, override or remove that env default before running. - Code quality: several scripts contain obvious bugs and malformed subprocess calls (broken quoting and syntax in pipeline.py). Expect to need to fix code before reliable use. Recommended actions: 1) Inspect and, if needed, edit the scripts (remove or control auto-install behavior, fix broken strings). 2) Run only in an isolated environment (container or VM) with no sensitive environment variables exported. 3) Do not set OPENCLAW_TARGET, and prefer passing LLM keys on the command line if you must test. 4) Verify the openclaw binary and its configuration before enabling notifications. 5) If you require model downloads, explicitly set HF_ENDPOINT to an endpoint you trust or remove the default. Because of the mismatches and runtime install/notification behavior, treat this skill as suspicious until you validate and sanitize it in an isolated environment.
Latest Release
v1.0.2
恢复原始行为: 设置--target自动发送飞书通知
More by @Leochens
Published by @Leochens on ClawHub
