Video Pipeline Bundle

视频一站式工作流技能包。整合视频剪辑、转写、烧录、拼接全流程，支持分步执行和用户确认。 包含：(1) auto-editor - 视频剪辑去除静音片段；(2) Faster Whisper + MiniMax LLM - 语音转字幕； (3) ffmpeg - 烧录字幕到视频；(4) FFmpeg 工具箱 - 拼...

Key things to consider before installing or running this bundle: - Metadata mismatch: the registry says no env vars required, but the package needs MINIMAX_API_KEY (and can also use OPENAI/ANTHROPIC keys). Do not set API keys globally unless you intend the feature; prefer passing --api-key at runtime. - Automatic installs at runtime: some scripts will attempt to pip install dependencies when executed. If you want full control, run in a disposable virtualenv or container and inspect/approve installs first. - Notifications / possible exfiltration: scripts call an external 'openclaw' CLI to send messages to Feishu and will include filenames and progress. If you set OPENCLAW_TARGET or OPENCLAW_CHANNEL those notifications will go to that target. Keep notifications disabled (--notify false) or avoid setting OPENCLAW_TARGET if you don't want file names sent externally. - Nonstandard HF mirror default: the code sets HF_ENDPOINT to https://hf-mirror.com which may redirect model downloads or API calls to a third-party mirror. If you care where models are downloaded from, override or remove that env default before running. - Code quality: several scripts contain obvious bugs and malformed subprocess calls (broken quoting and syntax in pipeline.py). Expect to need to fix code before reliable use. Recommended actions: 1) Inspect and, if needed, edit the scripts (remove or control auto-install behavior, fix broken strings). 2) Run only in an isolated environment (container or VM) with no sensitive environment variables exported. 3) Do not set OPENCLAW_TARGET, and prefer passing LLM keys on the command line if you must test. 4) Verify the openclaw binary and its configuration before enabling notifications. 5) If you require model downloads, explicitly set HF_ENDPOINT to an endpoint you trust or remove the default. Because of the mismatches and runtime install/notification behavior, treat this skill as suspicious until you validate and sanitize it in an isolated environment.

Type: OpenClaw Skill Name: video-pipeline-bundle Version: 1.0.2 The skill bundle is classified as suspicious primarily due to multiple shell injection vulnerabilities found in `scripts/pipeline.py`. This script constructs commands using f-strings with user-controlled input paths (e.g., `input_dir`, `output_dir`, `output_file`) and then executes them via `subprocess.run(cmd, shell=True, ...)`. This allows an attacker to inject arbitrary shell commands by crafting malicious directory or file names, leading to potential Remote Code Execution (RCE). Additionally, `scripts/video_clip.py` and `scripts/video_to_text.py` use `pip install --break-system-packages`, which is a risky practice that can interfere with system Python environments, although this is transparently documented in `SKILL.md`.