STH Video Template Generation

Generate vertical 9:16 videos for Sing The Hook song templates using a two-stage pipeline with MCP, trimming, uploading to GCS, and database updates.

Key points to verify before installing or running: - Mismatched declarations: The registry says "no env vars" but SKILL.md asks for many sensitive variables (DB creds, MCP API key, GCS key path). Ask the author which is authoritative. Do not hand over secrets until you confirm the code will use them correctly. - Code vs env: Inspect/modify the code to ensure DB/MCP/GCS configuration is read from secure environment variables (or a config file) rather than using hardcoded defaults (the current DB_CONFIG and MCP_CONFIG are hardcoded). If you expect it to use STH_DB_* / STH_MCP_* variables, confirm the code reads os.environ for those keys. - Run in an isolated sandbox: Because the scripts will execute psql, curl, ffmpeg/ffprobe and update a PostgreSQL table, test the skill in a throwaway environment (or with a read-only test DB and fake MCP credentials) before providing production credentials. - Verify external endpoints and credentials: The code targets an external MCP endpoint (https://kansas3.8glabs.com/mcp). Confirm that endpoint is trusted and that the MCP API key will be scoped/rotated appropriately. The skill also uploads to GCS — prefer a service account with minimal permissions (only the target bucket) and avoid broad-scoped keys. - File paths and data exposure: The scripts reference /root/.openclaw/media/inbound and write logs and state under the skill directory. Ensure those paths are acceptable and contain no sensitive data you don't want processed. Consider running with a limited filesystem view. - Review and harden: If you plan to use this, update the code to read credentials from environment variables, validate/escape template IDs before building SQL, and limit polling durations/worker counts. Remove or document any behavior that writes notifications or uses Telegram. If you cannot confirm these items with the author, treat the skill as untrusted and avoid supplying real DB or cloud credentials.

Type: OpenClaw Skill Name: sth-video-gen Version: 2.0.0 The skill bundle implements a video generation pipeline but contains multiple critical SQL injection vulnerabilities across several files, including sth_video_generator.py and batch_processor.py, where template IDs from user-provided CSV inputs are directly interpolated into database queries. The scripts also perform high-risk operations such as executing shell commands (psql, ffmpeg, curl) and uploading data to Google Cloud Storage. While these actions appear aligned with the stated purpose of the 'Sing The Hook' service, the lack of input sanitization and the broad use of system commands present a significant security risk without clear evidence of intentional malice.