← Back to Skills Marketplace

YM-MediaToolkit(媒体处理工具集)

Name: YM-MediaToolkit(媒体处理工具集)
Author: 370299455cx-web

by 370299455cx-web · GitHub ↗ · v3.0.0 · MIT-0

cross-platform ⚠ suspicious

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install ym-mediatoolkit

Description

流式视频处理工具集 - 压缩、封面提取、音频转换，无需下载完整视频

Usage Guidance

This skill appears to implement the advertised streaming media processing and includes URL and path checks, but there are multiple inconsistencies you should resolve before installing: (1) Ensure ffmpeg and ffprobe are installed on the host (they are required by the code but not declared in the top-level registry requirements). (2) The published version metadata (3.0.0) does not match the included skill.json/SKILL.md (2.1.0) — ask the author to explain/version-lock. (3) If you plan to run the HTTP server, install Flask (SKILL.md mentions it but requirements.txt omits it). (4) Run the skill in an isolated, non-root environment (container) with restricted outbound network access and a controlled working directory so sanitize_output_path cannot write to unintended locations (if the agent's working directory is '/', absolute writes may still be possible). (5) Test the URL validation behavior (DNS resolution fail-close, IPv6 mapping) in your environment to ensure legitimate sources you rely on are reachable. If the author can fix the manifest/version inconsistency and clearly document required binaries and Python deps, the skill is coherent; until then treat it as suspicious and run only in an isolated sandbox.

Capability Analysis

Type: OpenClaw Skill Name: ym-mediatoolkit Version: 3.0.0 The ym-mediatoolkit skill is a well-structured video processing utility that uses ffmpeg and OpenCV for streaming compression and extraction. It demonstrates strong security practices by implementing robust SSRF protection (including DNS resolution checks and private IP blocking) and path traversal defenses in utils.py. The code logic is transparent, follows security best practices for subprocess handling, and is strictly aligned with its stated purpose of media manipulation without evidence of malicious intent.

Capability Tags

requires-oauth-tokenrequires-sensitive-credentials

Capability Assessment

ℹ Purpose & Capability

Code files implement streaming compression, thumbnail extraction, and audio extraction consistent with the skill description. However the top-level registry metadata (Requirements: no binaries) contradicts the internal skill.json and README which state ffmpeg/ffprobe are required; the published version (3.0.0) also differs from skill.json/SKILL.md (2.1.0). These metadata mismatches are incoherent and could cause runtime failures or hide required privileges.

✓ Instruction Scope

SKILL.md and run.py limit actions to fetching remote HTTP(S) video URLs, streaming-processing via ffmpeg/ffprobe, and saving outputs. The code performs DNS resolution and range requests to remote hosts and writes local output/temporary files. It does not request unrelated system secrets or attempt to read arbitrary host files. URL validation and output-path sanitization are applied before network I/O or file writes.

ℹ Install Mechanism

No install spec is provided (instruction-only), which reduces supply-chain risk. The README instructs 'pip install -r requirements.txt' (requests, opencv-python, numpy, aiohttp). However SKILL.md also asks to 'pip install flask flask-cors' for HTTP mode but flask is not listed in requirements.txt. The code calls external binaries via subprocess (ffmpeg, ffprobe) and skill.json documents them as required, but the registry 'Required binaries' field was empty — this mismatch should be resolved. No arbitrary remote downloads or URL shorteners are used in install steps.

✓ Credentials

The skill declares no required environment variables or credentials and the code does not access secrets or environment variables. Network access is required (to fetch remote video URLs), which is proportionate to the stated functionality.

✓ Persistence & Privilege

always:false and default autonomous invocation are used (normal). The skill writes local output and temporary files but does not modify other skill configurations or system-wide settings. The skill.json recommends containerized deployment and restricted privileges — appropriate given it performs network I/O and file writes.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install ym-mediatoolkit
After installation, invoke the skill by name or use /ym-mediatoolkit
Provide required inputs per the skill's parameter spec and get structured output

Version History

v3.0.0

媒体处理工具集 - 压缩、封面提取、音频提取/格式转换,，无需下载完整视频

v2.0.2

- Improved security: All user-supplied output paths (`output_path`, `save_path`, `output_dir`) are now strictly checked against path traversal, system reserved names, and enforced to remain within the working directory. - Enhanced SSRF protection: Now, if DNS resolution fails when validating video source URLs, requests are rejected (fail-close strategy), preventing prior accidental bypass on DNS errors. - Updated documentation: Security section now details new output path validation, clarifies DNS error handling, and notes HTTP service defaults to 127.0.0.1 (local only). - Minor notes added to configuration (`clawhub.note`) reminding users not to expose the HTTP service directly to the internet by default.

v2.0.1

2.1.0 版本强调了安全防护增强，并补充了运行时部署指引： - 增强 validate_video_url()，多层校验防范 SSRF/LFI，包括协议、Unicode/Punycode 域名、IP段与 DNS 解析（含 IPv6）。 - 文档显式新增“安全部署指南”：涵盖容器隔离、最小权限、磁盘配额、临时目录清理与前置认证建议。 - 增加 validate_video_url() 检查细节和已知局限说明（如不防 DNS 重绑定、重定向限制）。 - 测试和用法说明中涵盖内网 IPv4/v6 及恶意域名的安全验证例子。 - 版本号从 2.0.0 升级到 2.1.0。

v2.0.0

Major update: Adds comprehensive video URL security validation and documentation. - Strict URL validation now blocks local files, internal IPs, loopbacks, and unsafe protocols to prevent LFI and SSRF attacks. - Validation is enforced before any video URL is processed by all features (compression, thumbnail, audio, info). - Only http:// and https:// video URLs are accepted. - New “security” tag added. - Documentation fully updated to detail security measures, endpoints, CLI usage, and architecture.

v1.0.0

- Introduced stream-based video processing; no need to download entire files. - Added video compression with adjustable output sizes and quality preservation. - Implemented thumbnail extraction at any timecode or frame. - Enabled audio extraction to MP3, WAV, AAC, and M4A formats. - All features use efficient streaming to save time and disk space.

Metadata

Slug ym-mediatoolkit

Version 3.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 5

Frequently Asked Questions

What is YM-MediaToolkit(媒体处理工具集)?

流式视频处理工具集 - 压缩、封面提取、音频转换，无需下载完整视频. It is an AI Agent Skill for Claude Code / OpenClaw, with 99 downloads so far.

How do I install YM-MediaToolkit(媒体处理工具集)?

Run "/install ym-mediatoolkit" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is YM-MediaToolkit(媒体处理工具集) free?

Yes, YM-MediaToolkit(媒体处理工具集) is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does YM-MediaToolkit(媒体处理工具集) support?

YM-MediaToolkit(媒体处理工具集) is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created YM-MediaToolkit(媒体处理工具集)?

It is built and maintained by 370299455cx-web (@370299455cx-web); the current version is v3.0.0.

More Skills