by 安全扫描
OpenClaw
安全
medium confidenceThe skill appears to do what it claims (record browser demos with TTS, overlays, and FFmpeg) and its files align with that purpose, but there are several operational and safety concerns you should review before running it.
评估建议
This skill is coherent with its stated purpose, but take these precautions before running:
- Inspect and (if needed) edit SCENES in scripts/record-demo.mjs so they only point to public pages you control; do NOT point it to authenticated or private pages unless you understand the privacy risk (screenshots capture page content).
- Review any narration or scene id content before running; the script uses execSync with string commands (edge-tts, ffmpeg, ffprobe). Avoid untrusted text that could inclu...详细分析 ▾
✓ 用途与能力
Name, description, and included files (Puppeteer script, edge-tts usage, PIL overlay generation, FFmpeg commands) match the stated goal of creating product demo videos; no unrelated credentials, config paths, or services are requested.
ℹ 指令范围
SKILL.md and record-demo.mjs instruct the agent to visit arbitrary URLs and screenshot them, generate TTS via edge-tts (calls Microsoft servers), run FFmpeg/ffprobe, and create overlay images with a generated Python script. This stays within the stated purpose, but noteworthy runtime behaviors: the tool will capture screenshots of any provided URL (including authenticated/private pages if pointed there), and it invokes external network services (edge-tts). The code uses execSync with shell-interpolated strings (narration, filenames, ids) which can lead to command-injection risks if scene IDs or narration text are untrusted.
ℹ 安装机制
There is no platform-level install spec, but an included scripts/install-deps.sh downloads an FFmpeg static build from johnvansickle.com (a common FFmpeg static source) and copies binaries to /usr/local/bin. The script also uses apt/dnf package installs and pip installs. Downloading and extracting an archive and copying into /usr/local/bin is invasive and will require elevated privileges; the curl+tar approach is higher risk than using a package manager but the upstream source is known.
✓ 凭证需求
The skill does not request environment variables or credentials, and the code does not read secret env vars. The only external services used are Microsoft TTS via edge-tts and standard utilities (ffmpeg, chromium).
ℹ 持久化与权限
always:false and no special agent permissions requested. The install script writes system-wide binaries (/usr/local/bin) and installs fonts/packages; running that script will require sudo/root on many systems. The skill does not attempt to modify other skills or agent configurations.
⚠ scripts/record-demo.mjs:142
Shell command execution detected (child_process).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/13
Automated demo video pipeline: Puppeteer + edge-tts + PIL + FFmpeg
● 可疑
安装命令 点击复制
官方npx clawhub@latest install product-demo-video
镜像加速npx clawhub@latest install product-demo-video --registry https://cn.clawhub-mirror.com
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制