← 返回 Skills 市场
322
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install product-demo-video
功能描述
Create product demo videos with voiceover, text overlays, and real browser interactions. Fully automated, zero cost. Uses Puppeteer (headless Chrome), edge-t...
安全使用建议
This skill is coherent with its stated purpose, but take these precautions before running:
- Inspect and (if needed) edit SCENES in scripts/record-demo.mjs so they only point to public pages you control; do NOT point it to authenticated or private pages unless you understand the privacy risk (screenshots capture page content).
- Review any narration or scene id content before running; the script uses execSync with string commands (edge-tts, ffmpeg, ffprobe). Avoid untrusted text that could include shell metacharacters. Prefer running the script manually in a sandbox first.
- Be careful running scripts/install-deps.sh: it downloads an FFmpeg static build and copies binaries to /usr/local/bin (requires elevated privileges). Consider installing dependencies through your package manager or verifying the downloaded archive before copying.
- Expect edge-tts to contact Microsoft servers (network activity). If offline or privacy-sensitive, do not generate TTS there.
- Run the whole workflow in an isolated environment (VM/container) or non-production machine until you’re comfortable. If you plan to adapt the code, consider replacing execSync string commands with child_process spawn/execFile and validated argument lists to avoid shell injection.
If you want, I can point out the specific lines in record-demo.mjs that are highest risk and suggest safer code changes.
功能分析
Type: OpenClaw Skill
Name: product-demo-video
Version: 1.0.0
The skill bundle contains a shell injection vulnerability in `scripts/record-demo.mjs` where narration text is passed to `execSync` with insufficient sanitization (only double quotes are escaped), allowing for subshell execution (e.g., via backticks or $()). Additionally, `scripts/install-deps.sh` downloads and installs a pre-compiled FFmpeg binary from an external site (johnvansickle.com), which is a high-risk supply chain practice. While these behaviors are functional for the stated purpose of video generation, they represent significant security flaws that could be exploited by a malicious prompt.
能力评估
Purpose & Capability
Name, description, and included files (Puppeteer script, edge-tts usage, PIL overlay generation, FFmpeg commands) match the stated goal of creating product demo videos; no unrelated credentials, config paths, or services are requested.
Instruction Scope
SKILL.md and record-demo.mjs instruct the agent to visit arbitrary URLs and screenshot them, generate TTS via edge-tts (calls Microsoft servers), run FFmpeg/ffprobe, and create overlay images with a generated Python script. This stays within the stated purpose, but noteworthy runtime behaviors: the tool will capture screenshots of any provided URL (including authenticated/private pages if pointed there), and it invokes external network services (edge-tts). The code uses execSync with shell-interpolated strings (narration, filenames, ids) which can lead to command-injection risks if scene IDs or narration text are untrusted.
Install Mechanism
There is no platform-level install spec, but an included scripts/install-deps.sh downloads an FFmpeg static build from johnvansickle.com (a common FFmpeg static source) and copies binaries to /usr/local/bin. The script also uses apt/dnf package installs and pip installs. Downloading and extracting an archive and copying into /usr/local/bin is invasive and will require elevated privileges; the curl+tar approach is higher risk than using a package manager but the upstream source is known.
Credentials
The skill does not request environment variables or credentials, and the code does not read secret env vars. The only external services used are Microsoft TTS via edge-tts and standard utilities (ffmpeg, chromium).
Persistence & Privilege
always:false and no special agent permissions requested. The install script writes system-wide binaries (/usr/local/bin) and installs fonts/packages; running that script will require sudo/root on many systems. The skill does not attempt to modify other skills or agent configurations.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install product-demo-video - 安装完成后,直接呼叫该 Skill 的名称或使用
/product-demo-video触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Automated demo video pipeline: Puppeteer + edge-tts + PIL + FFmpeg
元数据
常见问题
Product Demo Video Creator 是什么?
Create product demo videos with voiceover, text overlays, and real browser interactions. Fully automated, zero cost. Uses Puppeteer (headless Chrome), edge-t... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 322 次。
如何安装 Product Demo Video Creator?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install product-demo-video」即可一键安装,无需额外配置。
Product Demo Video Creator 是免费的吗?
是的,Product Demo Video Creator 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Product Demo Video Creator 支持哪些平台?
Product Demo Video Creator 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Product Demo Video Creator?
由 xiazai77(@xiazai77)开发并维护,当前版本 v1.0.0。
推荐 Skills