← 返回 Skills 市场
414
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install shellbot-creative
功能描述
Opinionated creative production system for image/video generation, image editing, motion scenes, voiceovers, music, and Remotion assembly. Combines Freepik,...
安全使用建议
This skill appears coherent for orchestrating multi-provider creative workflows, but review these before installing or running: 1) Supply credentials only for providers you intend to use (FREEPIK_API_KEY is required for Freepik flows); understand that those keys will be sent to the provider APIs and may incur usage/billing. 2) Inspect scripts/install_skill.sh and package_skill.sh if you plan to run them — don't execute install scripts from unknown packages without reading them. 3) Review any truncated/omitted files for unexpected network endpoints or obfuscated code. 4) If you want to limit blast radius, create provider API keys with the narrowest scopes possible and run the skill in an isolated project folder. 5) If you need higher assurance, run a dry-run (the repo includes dry-run manifests) and review the generated shell plans before executing any network calls.
功能分析
Type: OpenClaw Skill
Name: shellbot-creative
Version: 1.0.0
The skill contains a critical shell injection vulnerability in `scripts/run_full_dry_run.py`. User-provided input (the 'brief' argument) is unsafely embedded into a `curl` command string, which is then written to an executable shell script (`creative-output/dry-run-freepik-first/commands/run-freepik-first.sh`). This allows an attacker to inject arbitrary shell commands for remote code execution on the host system. While there is no clear evidence of intentional malicious behavior by the skill author, this severe vulnerability makes the skill highly risky.
能力评估
Purpose & Capability
Name/description promise (multi-provider creative pipeline using Freepik, fal.ai, Nano Banana 2, and Remotion) matches the contents: orchestration scripts, Remotion React templates, and numerous curl/python commands targeting those providers. The declared primary credential (FREEPIK_API_KEY) and providerEnv references to FAL_KEY/INFERENCE_API_KEY are appropriate. Minor metadata inconsistency: registry 'Required env vars: none' conflicts with the skill's primaryEnv and the SKILL.md checks which expect FREEPIK_API_KEY (and optionally FAL_KEY / INFERENCE_API_KEY).
Instruction Scope
SKILL.md and scripts instruct running local Python scripts, creating project folders, using Remotion (node/npx), and calling provider APIs via curl/infsh. All referenced network endpoints are provider endpoints (api.freepik.com, queue.fal.run / api.fal.ai, infsh/inference.sh); instructions do not reference reading unrelated system files or exfiltrating files to unknown hosts. The runtime has permission to read/write local project files (assets, manifests) as expected.
Install Mechanism
No automated install spec in the registry (instruction-only), which minimizes automatic code fetching. The repo includes packaging/install helper scripts (scripts/install_skill.sh, package_skill.sh) — their contents were not fully inspected here; they are typical but should be reviewed before executing. Visible files do not download arbitrary archives from unknown hosts.
Credentials
Requested credentials are proportional to the multi-provider workflow: FREEPIK_API_KEY is the primary credential and FAL_KEY / INFERENCE_API_KEY are optional fallbacks. No unrelated secrets or broad system credentials are requested. Reminder: API keys will be transmitted to the provider endpoints invoked by the scripts (normal for this skill).
Persistence & Privilege
The skill is not always-enabled and uses default agent autonomy settings. It does not request elevated system privileges or indicate modification of other skills or global agent configuration. It writes artifacts into local project folders (assets/, scenes/, audio/, manifests/) which is consistent with its purpose.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install shellbot-creative - 安装完成后,直接呼叫该 Skill 的名称或使用
/shellbot-creative触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: Freepik-first creative pipeline with Nano Banana 2/fal fallbacks, storyboard + routing + Remotion manifest scripts, packaging/install helpers, and production recipes.
元数据
常见问题
shellbot-creative 是什么?
Opinionated creative production system for image/video generation, image editing, motion scenes, voiceovers, music, and Remotion assembly. Combines Freepik,... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 414 次。
如何安装 shellbot-creative?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install shellbot-creative」即可一键安装,无需额外配置。
shellbot-creative 是免费的吗?
是的,shellbot-creative 完全免费(开源免费),可自由下载、安装和使用。
shellbot-creative 支持哪些平台?
shellbot-creative 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 shellbot-creative?
由 cohnen(@cohnen)开发并维护,当前版本 v1.0.0。
推荐 Skills