← Back to Skills Marketplace

STH Video Template Generation

Name: STH Video Template Generation
Author: zhuyinzhuyin

by Yin Zhu · GitHub ↗ · v2.0.0 · MIT-0

cross-platform ⚠ suspicious

214

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install sth-video-gen

Description

Generate vertical 9:16 videos for Sing The Hook song templates using a two-stage pipeline with MCP, trimming, uploading to GCS, and database updates.

Usage Guidance

Key points to verify before installing or running: - Mismatched declarations: The registry says "no env vars" but SKILL.md asks for many sensitive variables (DB creds, MCP API key, GCS key path). Ask the author which is authoritative. Do not hand over secrets until you confirm the code will use them correctly. - Code vs env: Inspect/modify the code to ensure DB/MCP/GCS configuration is read from secure environment variables (or a config file) rather than using hardcoded defaults (the current DB_CONFIG and MCP_CONFIG are hardcoded). If you expect it to use STH_DB_* / STH_MCP_* variables, confirm the code reads os.environ for those keys. - Run in an isolated sandbox: Because the scripts will execute psql, curl, ffmpeg/ffprobe and update a PostgreSQL table, test the skill in a throwaway environment (or with a read-only test DB and fake MCP credentials) before providing production credentials. - Verify external endpoints and credentials: The code targets an external MCP endpoint (https://kansas3.8glabs.com/mcp). Confirm that endpoint is trusted and that the MCP API key will be scoped/rotated appropriately. The skill also uploads to GCS — prefer a service account with minimal permissions (only the target bucket) and avoid broad-scoped keys. - File paths and data exposure: The scripts reference /root/.openclaw/media/inbound and write logs and state under the skill directory. Ensure those paths are acceptable and contain no sensitive data you don't want processed. Consider running with a limited filesystem view. - Review and harden: If you plan to use this, update the code to read credentials from environment variables, validate/escape template IDs before building SQL, and limit polling durations/worker counts. Remove or document any behavior that writes notifications or uses Telegram. If you cannot confirm these items with the author, treat the skill as untrusted and avoid supplying real DB or cloud credentials.

Capability Analysis

Type: OpenClaw Skill Name: sth-video-gen Version: 2.0.0 The skill bundle implements a video generation pipeline but contains multiple critical SQL injection vulnerabilities across several files, including sth_video_generator.py and batch_processor.py, where template IDs from user-provided CSV inputs are directly interpolated into database queries. The scripts also perform high-risk operations such as executing shell commands (psql, ffmpeg, curl) and uploading data to Google Cloud Storage. While these actions appear aligned with the stated purpose of the 'Sing The Hook' service, the lack of input sanitization and the broad use of system commands present a significant security risk without clear evidence of intentional malice.

Capability Assessment

⚠ Purpose & Capability

The skill claims to generate STH videos via MCP and upload to GCS (consistent with included scripts). However the registry metadata lists no required env vars/binaries while SKILL.md requires many sensitive values (DB host/credentials, MCP endpoint & API key, GCS key path). Worse: the Python code largely uses hardcoded DB/MCP configuration constants (localhost/dev_mobile/openclaw and MCP endpoint) rather than reading the SKILL.md-listed STH_* environment variables — a direct mismatch that is not explained and may cause the skill to act on local resources unexpectedly.

⚠ Instruction Scope

SKILL.md gives a narrow runtime flow (ask for CSV, run sth_video_generator.py). The actual code goes beyond that: it runs psql, curl, ffprobe/ffmpeg, downloads audio to temp files, writes logs and state files in the skill and /root/.openclaw/media paths, polls external MCP endpoints, and updates a database table. The SKILL.md does not document some hardcoded file paths (e.g., /root/.openclaw/media/inbound) or the precise behavior of the background polling and file writes. The instructions also ask for env vars that the code doesn't appear to read, meaning the runtime behavior may rely on hardcoded defaults instead of provided secrets.

ℹ Install Mechanism

No install spec is provided (instruction-only), which lowers supply-chain risk. The SKILL.md recommends installing google-cloud-storage and requires ffmpeg/psql/curl to be present on host. Because the code is included in the bundle (not downloaded at runtime) there's no remote arbitrary download, but the skill depends on system binaries and a Python package; the skill will call external binaries (curl/psql/ffprobe/ffmpeg) and the google-cloud library, so you must ensure those are installed in a controlled environment.

⚠ Credentials

SKILL.md requests many sensitive environment variables (DB host/port/name/user/password, MCP endpoint/api key, GCS service-account path). That is proportionate for the declared pipeline — except the code does not actually read those STH_* env vars and instead uses hardcoded DB_CONFIG/MCP_CONFIG values. This mismatch is concerning: either the SKILL.md is out of date or the code will ignore user-provided credentials and act on local defaults (localhost DB, empty DB password, hardcoded MCP endpoint). Requesting a GCS key file path and an MCP API key is expected for uploads, but you must confirm the code will use the credentials you provide rather than ignoring them.

ℹ Persistence & Privilege

The skill is not always-enabled and does not ask for platform-level privileges. It writes state and log files inside its skill directory (raw_video_urls.json, logs, pending_notifications.txt) and accesses files under /root/.openclaw/media/inbound in several scripts. It also spawns long-polling loops (poll_video_job) that can run for many minutes. Allowing autonomous invocation plus DB write capability increases blast radius; while autonomous invocation is normal, combined with database updates and external network calls this merits careful credential and environment controls.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install sth-video-gen
After installation, invoke the skill by name or use /sth-video-gen
Provide required inputs per the skill's parameter spec and get structured output

Version History

v2.0.0

Clean v2 release

Metadata

Slug sth-video-gen

Version 2.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is STH Video Template Generation?

Generate vertical 9:16 videos for Sing The Hook song templates using a two-stage pipeline with MCP, trimming, uploading to GCS, and database updates. It is an AI Agent Skill for Claude Code / OpenClaw, with 214 downloads so far.

How do I install STH Video Template Generation?

Run "/install sth-video-gen" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is STH Video Template Generation free?

Yes, STH Video Template Generation is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does STH Video Template Generation support?

STH Video Template Generation is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created STH Video Template Generation?

It is built and maintained by Yin Zhu (@zhuyinzhuyin); the current version is v2.0.0.

More Skills