← 返回 Skills 市场
donghaozhang

QCut Toolkit

作者 donghaozhang · GitHub ↗ · v1.0.1
cross-platform ⚠ suspicious
470
总下载
0
收藏
2
当前安装
2
版本数
在 OpenClaw 中安装
/install qcut-toolkit
功能描述
Unified QCut media toolkit — organize project files, process media with FFmpeg, generate AI content, control the QCut editor with native CLI commands, genera...
安全使用建议
This package looks like a full QCut toolset (FFmpeg docs, AI pipeline, local HTTP APIs and helper scripts). Before installing or enabling it: 1) Confirm you run it inside the QCut/Electron environment it targets — otherwise expected binaries (aicp, bundled AICP binary, ffmpeg) and the local Claude HTTP server may not exist. 2) Review the bundled scripts (subtitle_server.js, review_server.js, shell scripts) before running — they can open local endpoints or access files. 3) Be aware the docs instruct persistent storage of API keys (e.g., ~/.config/video-ai-studio/credentials.env) and call external model endpoints (fal.run, Google providers). Only provide API keys you trust and consider scope-limited keys. 4) If you do not want the skill to access local files or start servers, do not run the CLI/server components; if you need to run them, sandbox or inspect them first. 5) If you want a definitive benign/malicious determination, provide the contents of the included JS/shell scripts for review (the manifest lists them but their code was not fully shown here).
功能分析
Type: OpenClaw Skill Name: qcut-toolkit Version: 1.0.1 The toolkit contains several high-risk behaviors and architectural patterns that, while functional, create significant security and privacy concerns. Most notably, 'subtitles/SKILL.md' and 'talk-edit/SKILL.md' instruct the agent to upload user audio files to 'uguu.se' (a public temporary file hosting service) to facilitate transcription via the Volcengine API. The toolkit also includes local Node.js HTTP servers ('subtitle_server.js' and 'review_server.js') that execute shell commands using 'execSync' and 'spawn', presenting a potential Remote Code Execution (RCE) surface if the local ports are exposed. Furthermore, the 'videocut/self-evolve/SKILL.md' instructions explicitly direct the AI agent to modify its own skill files and rules based on 'feedback,' which could be leveraged as a mechanism for persistence or to inject malicious instructions into the agent's logic over time.
能力评估
Purpose & Capability
The skill's name/description (QCut media toolkit) matches the included sub-skills (ffmpeg guides, AI pipeline, project organization, PR comments). However, the SKILL.md and reference docs assume the presence of QCut-specific binaries (aicp, QCut/Electron host, ffmpeg) and credential plumbing that are not declared in the skill metadata (required binaries/env/config). That omission is an inconsistency: a legitimate QCut skill would normally declare or at least document required runtime binaries/environment.
Instruction Scope
The skill's instructions reference running/using local CLI binaries (aicp, QCut), a local HTTP API (localhost:8765), and persistent credential stores (e.g., ~/.config/video-ai-studio/credentials.env). The docs show APIs that accept absolute file paths and timeline/media IDs — these afford the agent access to arbitrary local files if invoked. The SKILL.md instructs setting and injecting API keys and includes multi-tier key resolution; it also routes to sub-skill docs and shell/js scripts present in the bundle. These behaviors go beyond simple text-only help and could read/write sensitive files or start local servers if executed, so the instruction scope is broader than the metadata implies.
Install Mechanism
There is no install spec (instruction-only) which reduces installer risk. However, the package contains executable scripts and server JS files (subtitle_server.js, review_server.js, shell scripts) that could be executed by an agent following the SKILL.md guidance. Absence of a declared install process does not eliminate runtime execution risk.
Credentials
The skill metadata declares no required environment variables or primary credential, yet the SKILL.md and REFERENCE docs repeatedly reference and instruct management of multiple API keys (FAL_KEY, GEMINI_API_KEY, ELEVENLABS_API_KEY, etc.) and a persistent credentials file. Asking the user/agent to set or rely on those secrets without declaring them is inconsistent and elevates the chance of accidental secret exposure or misconfiguration.
Persistence & Privilege
The skill does not request always:true and defaults to normal invocation. But it recommends persistent key storage (CLI set-key that writes to ~/.config/.../credentials.env) and documents local HTTP endpoints and servers. That implies the skill expects to persist secrets and possibly run long-lived local services — reasonable for an app-integrated toolkit but something users should explicitly consent to and verify.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install qcut-toolkit
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /qcut-toolkit 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
- Removed 484 documentation and reference files, including multiple SKILL.md, prompt, and style configuration files from submodules such as baoyu-article-illustrator and baoyu-comic. - No changes to functionality or routing logic; only supporting and example files were deleted. - Core toolkit description and usage unchanged.
v1.0.0
QCut Toolkit initial release — unified entry point for six core media workflow skills. - Provides routing to: project/file organization, FFmpeg media processing, AI content generation/analysis, Seedance video prompt generation, MCP preview testing, and PR comment review tools. - Includes detailed guidance on when to invoke each sub-skill for typical content pipeline requests. - Documents routing logic for chaining multiple tools, with example user queries and a lookup table. - Standardizes output structure for all workflows. - Emphasizes stepwise, confirm-before-destructive execution for multi-stage tasks.
元数据
Slug qcut-toolkit
版本 1.0.1
许可证
累计安装 2
当前安装数 2
历史版本数 2
常见问题

QCut Toolkit 是什么?

Unified QCut media toolkit — organize project files, process media with FFmpeg, generate AI content, control the QCut editor with native CLI commands, genera... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 470 次。

如何安装 QCut Toolkit?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install qcut-toolkit」即可一键安装,无需额外配置。

QCut Toolkit 是免费的吗?

是的,QCut Toolkit 完全免费(开源免费),可自由下载、安装和使用。

QCut Toolkit 支持哪些平台?

QCut Toolkit 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 QCut Toolkit?

由 donghaozhang(@donghaozhang)开发并维护,当前版本 v1.0.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论