by 安全扫描
OpenClaw
可疑
medium confidenceThe skill generally matches its purpose (transcribe video → generate images → automate Instagram posting), but there are several inconsistencies and missing declarations (notably required env vars and external integrations) and this skill exercises browser automation against a logged-in Instagram session — review before installing or running.
评估建议
This skill appears to implement the described pipeline, but there are a few red flags to consider before installing or running it:
- Metadata mismatch: The SKILL.md (and scripts) require ffmpeg and an OPENAI_API_KEY (Whisper transcription), and optionally a Replicate key and a logged-in OpenClaw browser Instagram session — but the registry metadata declares none of these. Treat the skill as incomplete until metadata is corrected.
- Credential scope: The transcription step will send audio to a...详细分析 ▾
⚠ 用途与能力
The SKILL.md and code show a legitimate need for ffmpeg, an OpenAI API key (Whisper transcription), and an OpenClaw/browser session for Instagram posting. However the registry metadata declares no required env vars or binaries — a clear mismatch. The skill also mentions optional Replicate usage and Slack approvals in the workflow, but those integrations are not declared in metadata and are not implemented in the codebase (no Slack client or Replicate calls present).
ℹ 指令范围
The runtime instructions correctly describe the end-to-end pipeline. The scripts perform file I/O, local ffmpeg/ffprobe operations, call OpenAI's API via curl (transcribe.sh), and drive a logged-in Instagram session through the OpenClaw browser using Playwright/CDP. The agent instructions require sending previews/approval via Slack, but the repo contains no Slack integration — this means the agent or user must supply that channel separately. The instructions do not instruct reading unrelated system secrets, but they do require access to a logged-in browser profile (which gives access to the user's Instagram session).
ℹ 安装机制
No install spec is provided in the registry (instruction-only), but package.json lists a native dependency (canvas) that requires npm install and native build/prebuild tooling. Installing may trigger native build steps (prebuild-install) and fetches from npm; that's expected but worth noting. Playwright is not bundled — the Playwright helper expects playwright-core to be available from an OpenClaw installation or global node_modules, which may lead to runtime failures if environment not prepared.
⚠ 凭证需求
SKILL.md explicitly requires OPENAI_API_KEY (and optionally REPLICATE_API_TOKEN) and ffmpeg, plus a logged-in OpenClaw browser Instagram session. The registry metadata, however, lists no required env vars or binaries. The discrepancy is worrying because the transcribe script uses the OPENAI_API_KEY environment variable directly; that credential is required but not declared. The skill does not request unrelated cloud credentials, but it does rely on a privileged local session (Instagram) that enables posting on the user's behalf.
✓ 持久化与权限
The skill does not request always:true or attempt to modify other skills or system-wide agent settings. It runs as a normal skill and uses OpenClaw's browser automation and local temp directories (/tmp/openclaw/uploads). Autonomous invocation is allowed by default but not unusual. No evidence of persistent background services or self-enabling behavior.
⚠ scripts/post-to-instagram.js:56
Shell command execution detected (child_process).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/4/20
- Adds end-to-end pipeline for converting podcast/video episodes into Instagram-ready content (carousel posts, quote cards, and Reels). - Automates transcription, content extraction, video frame selection, image generation, and posting via browser automation. - Supports both YouTube URLs and direct video files as input sources. - Integrates explicit visual and caption approval steps before publishing. - Includes strict content and branding rules, with customizable options in brand-config.json. - Ensures posts are only uploaded after final user confirmation with visual previews.
● 无害
安装命令
点击复制官方npx clawhub@latest install veezvg-episode-to-instagram
镜像加速npx clawhub@latest install veezvg-episode-to-instagram --registry https://cn.longxiaskill.com镜像同步中