← Back to Skills Marketplace
QCut Toolkit
by
donghaozhang
· GitHub ↗
· v1.0.1
470
Downloads
0
Stars
2
Active Installs
2
Versions
Install in OpenClaw
/install qcut-toolkit
Description
Unified QCut media toolkit — organize project files, process media with FFmpeg, generate AI content, control the QCut editor with native CLI commands, genera...
Usage Guidance
This package looks like a full QCut toolset (FFmpeg docs, AI pipeline, local HTTP APIs and helper scripts). Before installing or enabling it: 1) Confirm you run it inside the QCut/Electron environment it targets — otherwise expected binaries (aicp, bundled AICP binary, ffmpeg) and the local Claude HTTP server may not exist. 2) Review the bundled scripts (subtitle_server.js, review_server.js, shell scripts) before running — they can open local endpoints or access files. 3) Be aware the docs instruct persistent storage of API keys (e.g., ~/.config/video-ai-studio/credentials.env) and call external model endpoints (fal.run, Google providers). Only provide API keys you trust and consider scope-limited keys. 4) If you do not want the skill to access local files or start servers, do not run the CLI/server components; if you need to run them, sandbox or inspect them first. 5) If you want a definitive benign/malicious determination, provide the contents of the included JS/shell scripts for review (the manifest lists them but their code was not fully shown here).
Capability Analysis
Type: OpenClaw Skill
Name: qcut-toolkit
Version: 1.0.1
The toolkit contains several high-risk behaviors and architectural patterns that, while functional, create significant security and privacy concerns. Most notably, 'subtitles/SKILL.md' and 'talk-edit/SKILL.md' instruct the agent to upload user audio files to 'uguu.se' (a public temporary file hosting service) to facilitate transcription via the Volcengine API. The toolkit also includes local Node.js HTTP servers ('subtitle_server.js' and 'review_server.js') that execute shell commands using 'execSync' and 'spawn', presenting a potential Remote Code Execution (RCE) surface if the local ports are exposed. Furthermore, the 'videocut/self-evolve/SKILL.md' instructions explicitly direct the AI agent to modify its own skill files and rules based on 'feedback,' which could be leveraged as a mechanism for persistence or to inject malicious instructions into the agent's logic over time.
Capability Assessment
Purpose & Capability
The skill's name/description (QCut media toolkit) matches the included sub-skills (ffmpeg guides, AI pipeline, project organization, PR comments). However, the SKILL.md and reference docs assume the presence of QCut-specific binaries (aicp, QCut/Electron host, ffmpeg) and credential plumbing that are not declared in the skill metadata (required binaries/env/config). That omission is an inconsistency: a legitimate QCut skill would normally declare or at least document required runtime binaries/environment.
Instruction Scope
The skill's instructions reference running/using local CLI binaries (aicp, QCut), a local HTTP API (localhost:8765), and persistent credential stores (e.g., ~/.config/video-ai-studio/credentials.env). The docs show APIs that accept absolute file paths and timeline/media IDs — these afford the agent access to arbitrary local files if invoked. The SKILL.md instructs setting and injecting API keys and includes multi-tier key resolution; it also routes to sub-skill docs and shell/js scripts present in the bundle. These behaviors go beyond simple text-only help and could read/write sensitive files or start local servers if executed, so the instruction scope is broader than the metadata implies.
Install Mechanism
There is no install spec (instruction-only) which reduces installer risk. However, the package contains executable scripts and server JS files (subtitle_server.js, review_server.js, shell scripts) that could be executed by an agent following the SKILL.md guidance. Absence of a declared install process does not eliminate runtime execution risk.
Credentials
The skill metadata declares no required environment variables or primary credential, yet the SKILL.md and REFERENCE docs repeatedly reference and instruct management of multiple API keys (FAL_KEY, GEMINI_API_KEY, ELEVENLABS_API_KEY, etc.) and a persistent credentials file. Asking the user/agent to set or rely on those secrets without declaring them is inconsistent and elevates the chance of accidental secret exposure or misconfiguration.
Persistence & Privilege
The skill does not request always:true and defaults to normal invocation. But it recommends persistent key storage (CLI set-key that writes to ~/.config/.../credentials.env) and documents local HTTP endpoints and servers. That implies the skill expects to persist secrets and possibly run long-lived local services — reasonable for an app-integrated toolkit but something users should explicitly consent to and verify.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install qcut-toolkit - After installation, invoke the skill by name or use
/qcut-toolkit - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
- Removed 484 documentation and reference files, including multiple SKILL.md, prompt, and style configuration files from submodules such as baoyu-article-illustrator and baoyu-comic.
- No changes to functionality or routing logic; only supporting and example files were deleted.
- Core toolkit description and usage unchanged.
v1.0.0
QCut Toolkit initial release — unified entry point for six core media workflow skills.
- Provides routing to: project/file organization, FFmpeg media processing, AI content generation/analysis, Seedance video prompt generation, MCP preview testing, and PR comment review tools.
- Includes detailed guidance on when to invoke each sub-skill for typical content pipeline requests.
- Documents routing logic for chaining multiple tools, with example user queries and a lookup table.
- Standardizes output structure for all workflows.
- Emphasizes stepwise, confirm-before-destructive execution for multi-stage tasks.
Metadata
Frequently Asked Questions
What is QCut Toolkit?
Unified QCut media toolkit — organize project files, process media with FFmpeg, generate AI content, control the QCut editor with native CLI commands, genera... It is an AI Agent Skill for Claude Code / OpenClaw, with 470 downloads so far.
How do I install QCut Toolkit?
Run "/install qcut-toolkit" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is QCut Toolkit free?
Yes, QCut Toolkit is completely free (open-source). You can download, install and use it at no cost.
Which platforms does QCut Toolkit support?
QCut Toolkit is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created QCut Toolkit?
It is built and maintained by donghaozhang (@donghaozhang); the current version is v1.0.1.
More Skills