← 返回 Skills 市场
VEED UGC
作者
Paul de Lavallaz
· GitHub ↗
· v1.0.1
1126
总下载
5
收藏
3
当前安装
2
版本数
在 OpenClaw 中安装
/install veed-ugc
功能描述
Generate UGC-style promotional videos with AI lip-sync. Takes an image (person with product from Morpheus/Ad-Ready) and a script (pure dialogue), creates a video of the person speaking. Uses ElevenLabs for voice synthesis.
安全使用建议
Before installing or running this skill, note that: (1) the included Python script will upload any image and the script text you provide to https://api.comfydeploy.com — do not upload images of real people without explicit consent; (2) the script requires a ComfyDeploy API key (COMFY_DEPLOY_API_KEY or --api-key) even though the skill metadata does not list that requirement — this mismatch is suspicious and you should provide a key with minimal privileges; (3) the script prints API responses (first 500 chars) to stdout which can leak sensitive info to logs — review or remove these debug prints if you care about secrecy; (4) ElevenLabs is referenced only for voice IDs; no ElevenLabs credential is included, because TTS is performed by the ComfyDeploy workflow — verify this behavior with the service owner; (5) the source/homepage is unknown: prefer packages with a verifiable source or inspect the code thoroughly and run in an isolated environment. If you are unsure, do not use with real users' images or private scripts until you confirm the service/policy and fix the manifest mismatch (declare the COMFY_DEPLOY_API_KEY requirement).
功能分析
Type: OpenClaw Skill
Name: veed-ugc
Version: 1.0.1
The `scripts/generate.py` file is designed to upload local image files to `api.comfydeploy.com` for video generation. However, the script takes the `--image` argument directly as a file path without explicit validation or sanitization, making it vulnerable to arbitrary file read/upload. An attacker could potentially provide a path to a sensitive local file (e.g., `/etc/passwd`, `~/.ssh/id_rsa`), leading to its exfiltration to the `comfydeploy.com` service. While the skill's stated purpose requires file upload, this lack of input validation represents a significant vulnerability, classifying it as suspicious rather than benign.
能力评估
Purpose & Capability
The name and description (generate UGC videos with lip-sync/TTS) match the code and SKILL.md: the script uploads an image, queues a run at ComfyDeploy, polls, and downloads the result. Mentioning ElevenLabs is reasonable because a voice_id is used, but ElevenLabs credentials are not required by the bundled code (ComfyDeploy is the service actually contacted).
Instruction Scope
SKILL.md and the included script instruct the agent to upload user-supplied images and script text to https://api.comfydeploy.com and to include an Authorization Bearer API key. The code also prints debug info and the first 500 characters of API responses to stdout, which can leak sensitive data (including tokens or returned URLs). The skill will transmit user images and text to an external service — this is expected for the stated purpose but is a privacy/data-exfiltration consideration that must be explicit to users.
Install Mechanism
There is no install spec (instruction-only plus an included Python script). Nothing is downloaded from arbitrary URLs and no install-time code execution is requested. Risk from install mechanism is low.
Credentials
The skill manifest declares no required env vars, but the script requires a COMFY_DEPLOY_API_KEY either via --api-key or environment (COMFY_DEPLOY_API_KEY). That mismatch is incoherent and could confuse users. No ElevenLabs secret is requested (because ComfyDeploy handles TTS), which is plausible, but the SKILL.md's voice/ElevenLabs messaging could mislead users into thinking an ElevenLabs key is required. The script's debug printing of response bodies can expose credentials or other sensitive return values to logs.
Persistence & Privilege
The skill is not always-enabled and does not request persistence or modify other skill/system settings. It runs on-demand and does not escalate privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install veed-ugc - 安装完成后,直接呼叫该 Skill 的名称或使用
/veed-ugc触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Update: Changed from brief to pure script dialogue input (no annotations, symbols, or tone directions)
v1.0.0
Initial release: UGC video generation with AI lip-sync
元数据
常见问题
VEED UGC 是什么?
Generate UGC-style promotional videos with AI lip-sync. Takes an image (person with product from Morpheus/Ad-Ready) and a script (pure dialogue), creates a video of the person speaking. Uses ElevenLabs for voice synthesis. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1126 次。
如何安装 VEED UGC?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install veed-ugc」即可一键安装,无需额外配置。
VEED UGC 是免费的吗?
是的,VEED UGC 完全免费(开源免费),可自由下载、安装和使用。
VEED UGC 支持哪些平台?
VEED UGC 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 VEED UGC?
由 Paul de Lavallaz(@pauldelavallaz)开发并维护,当前版本 v1.0.1。
推荐 Skills