← 返回 Skills 市场
Qcut Video Edit
作者
donghaozhang
· GitHub ↗
· v2026.3.5
405
总下载
0
收藏
1
当前安装
3
版本数
在 OpenClaw 中安装
/install qcut-video-edit
功能描述
Run QCut's native TypeScript pipeline CLI for AI content generation, video analysis, transcription, YAML pipelines, ViMax agentic video production, and proje...
安全使用建议
What to consider before installing or running this skill:
- The SKILL.md expects you to have and run local developer tools (bun, electron) and the qcut pipeline. The skill metadata does not declare those required binaries — confirm you have the intended QCut application and that these commands are safe in your environment.
- The instructions access local configuration (~/.qcut/.env) and include commands to set and reveal API keys. Never run commands that reveal secrets unless you explicitly trust the environment and understand where output goes.
- The skill suggests reading other agent skill files (e.g., .agents/skills/...), which means it expects access to your agent's filesystem. If you do not want a skill to read other skill files or local configs, avoid running these commands or run them in an isolated environment (VM/container).
- Building and launching (bun run build; bun run electron &) executes code on your machine. Treat that like running any unreviewed program — inspect upstream source or run in an isolated test environment first.
- Ask the publisher for clarifications: a list of explicit required binaries, which local paths will be read/written, and why reading .agents/skills is necessary. Prefer installing only from a trusted homepage/source; this package has 'Source: unknown' and no homepage, which reduces provenance confidence.
- If you need to proceed, run commands manually rather than letting an agent run them autonomously, and avoid using any --reveal or other flags that expose full secret values.
功能分析
Type: OpenClaw Skill
Name: qcut-video-edit
Version: 2026.3.5
The skill bundle is classified as suspicious due to several high-risk capabilities and potential vulnerabilities exposed through its commands. Specifically, the `bun run pipeline get-key --name <name> --reveal` command (documented in `reference-pipelines.md`) allows direct retrieval of sensitive API keys stored locally. Additionally, the 'Notification Bridge' feature (documented in `editor-state-control.md`) enables forwarding of user actions from the QCut application to the Claude PTY session, posing a privacy risk through potential monitoring. Furthermore, commands accepting arbitrary URLs (e.g., `--image-url`, `--url` in `REFERENCE.md`, `editor-media.md`) and HTML content (e.g., `--html` in `editor-output.md`) could lead to SSRF/LFI or XSS vulnerabilities in the underlying QCut application if not properly sanitized. While these are documented features, they represent significant security risks if misused or exploited, indicating a suspicious rather than benign nature, without clear evidence of intentional malicious exfiltration or backdoor installation by the skill itself.
能力评估
Purpose & Capability
The skill claims to run QCut's native TypeScript pipeline and editor HTTP automation (which legitimately requires local binaries like bun, a qcut-pipeline binary, electron, and curl). However the registry metadata lists no required binaries, no required env vars, and no install steps. That is an incoherence: documentation expects tools that are not declared as required.
Instruction Scope
The SKILL.md instructs the agent to run local shell commands (curl to http://127.0.0.1:8765, bun run build, bun run electron, bun run pipeline commands), read/write ~/.qcut/.env, dump project state to disk, and locate other agent files (e.g., .agents/skills/remotion-best-practices/SKILL.md). These actions go beyond simple CLI usage: they can start background processes, read local config and other skill files, and (via pipeline key commands) potentially reveal secret values if a user runs 'get-key --reveal' or similar. The instructions also give broad discretion to import/export files and interact with the editor API — not strictly scoped to a single narrow task.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so there's no installer or external binary being downloaded by the skill package itself. That reduces risk from remote code fetch, but the runtime instructions still direct running local build/execution commands (bun/electron).
Credentials
The docs reference many API keys stored at ~/.qcut/.env (FAL_KEY, GEMINI_API_KEY, OPENAI_API_KEY, etc.) and include commands to set/check/reveal keys, but the skill metadata declares no required environment variables or primary credential. This is a mismatch: the skill expects to manage/inspect local secrets but doesn't declare any credential access. Additionally, commands can expose whether keys are configured and (with --reveal) full values — a potential vector for accidental secret disclosure if used carelessly.
Persistence & Privilege
The skill does not set always:true and has no install mechanism that would embed it persistently. It does instruct launching local processes (bun run electron &), but that is a normal behavior for a CLI controlling a local desktop app and not a privilege escalation of the skill package itself.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install qcut-video-edit - 安装完成后,直接呼叫该 Skill 的名称或使用
/qcut-video-edit触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2026.3.5
- Added new step to switch to the video edit panel using editor:ui:switch-panel in project/media/timeline discovery instructions.
- Updated step order to clarify UI navigation before media and timeline export.
- No breaking changes to commands or API. Documentation and workflow guidance improved.
v2026.3.4
- Major documentation and structure update with expanded modular references for pipelines, ViMax, media, timeline, and output.
- Added 5 new documentation files: editor-media.md, editor-timeline.md, editor-output.md, reference-pipelines.md, and reference-vimax.md for clearer separation of commands and workflows.
- Enhanced JSON output documentation, including envelope types and progressive 3-level help for improved machine parsing.
- New options and global flags introduced (e.g., --session, --skip-health, --no-capability-check) and documented.
- Clarified project.json agent-readable state export commands and schemas.
- Updated key source file references, listing additional registries and helpers for improved developer navigation.
v2026.3.3
- Major documentation update: new comprehensive SKILL.md covering all aspects of QCut's native CLI usage.
- Added detailed step-by-step instructions for setup, project/media/timeline discovery, and running commands.
- Quick command examples for model listing, video/image generation, analysis, transcription, cost estimation, and ViMax workflows.
- Instructions for API key setup and management, with a list of supported providers.
- Full summary table for global CLI options and key source files for easier navigation and development.
元数据
常见问题
Qcut Video Edit 是什么?
Run QCut's native TypeScript pipeline CLI for AI content generation, video analysis, transcription, YAML pipelines, ViMax agentic video production, and proje... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 405 次。
如何安装 Qcut Video Edit?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install qcut-video-edit」即可一键安装,无需额外配置。
Qcut Video Edit 是免费的吗?
是的,Qcut Video Edit 完全免费(开源免费),可自由下载、安装和使用。
Qcut Video Edit 支持哪些平台?
Qcut Video Edit 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Qcut Video Edit?
由 donghaozhang(@donghaozhang)开发并维护,当前版本 v2026.3.5。
推荐 Skills