← 返回 Skills 市场
Video Producer
作者
a1024708231
· GitHub ↗
· v2.2.1
· MIT-0
1055
总下载
1
收藏
3
当前安装
1
版本数
在 OpenClaw 中安装
/install video-producer
功能描述
短视频一键生成技能 v2.2。调用video-director进行画面规划,然后生成AI素材、TTS配音、视频渲染,输出完整MP4。
安全使用建议
Do not run this skill as-is on a sensitive system. Specific concerns: (1) The code contains hard-coded API keys — treat them as leaked secrets; if you or others have used those keys, rotate them immediately. (2) The skill's metadata does not declare the API keys and helper scripts it actually uses (MINIMAX_API_KEY, MINIMAX_IMAGE_API_KEY and external video-director / minimax-tts scripts). Ask the author to remove hard-coded credentials and declare required env vars and dependencies. (3) The scripts invoke external node/python helpers with execSync and build shell commands from user text — this can allow shell injection if inputs are not sanitized. Avoid passing untrusted text; prefer child_process.spawn with explicit args or a sanitized interface. (4) The skill requires or executes sibling scripts (../../video-director, ../../minimax-tts-cn) — verify those scripts' source before allowing execution because they run with the same agent privileges. (5) produce_fix.js can rewrite produce.js — treat self-modifying behavior cautiously and review its use-case. Recommended actions before installing: run in an isolated sandbox, audit and remove hard-coded keys, require explicit env vars in metadata, review all external endpoints (api.minimaxi.com and any video-director/tts code), and test with non-sensitive sample data. If you cannot verify the external helper scripts and keys, mark the skill untrusted.
功能分析
Type: OpenClaw Skill
Name: video-producer
Version: 2.2.1
The skill bundle contains multiple hardcoded API keys for the MiniMax service within `scripts/produce.js` and `scripts/image_gen.js`, which is a major security risk regarding credential exposure. Additionally, `scripts/produce.js` utilizes `execSync` to execute shell commands (ffmpeg, remotion, and python) by concatenating strings with potentially untrusted input, creating a high risk for shell injection. While these are critical vulnerabilities, the code logic remains consistent with the stated purpose of video production, and no clear evidence of intentional data exfiltration or malicious backdoors was found.
能力评估
Purpose & Capability
The name/description (video generation using a video-director helper, AI images, TTS, Remotion render) matches the included scripts: produce.js, image_gen.js, and test output. However the implementation expects external helper scripts (../../video-director/scripts/plan.js and ../../minimax-tts-cn/scripts/tts.py) and uses external image/tts APIs — these dependencies are not declared in the registry metadata or SKILL.md metadata (no required env vars or config paths listed). That mismatch (undeclared but required helpers/keys) is unexpected.
Instruction Scope
The SKILL.md describes calling video-director and producing assets, which is consistent, but the runtime scripts do more: they call external processes (node and python) via execSync, write files outside the skill folder in multiple locations, and may require the presence of sibling skill code. The instructions do not document the hard-coded API keys, the expected external script locations, nor the fact that the agent will execute other scripts. The generateTTS command construction uses shell invocation with only double-quote escaping, exposing a potential shell-injection risk if input is not strictly sanitized.
Install Mechanism
There is no install spec (instruction-only), so nothing is automatically downloaded. However there are shipped JS scripts that will be executed. That reduces installation risk, but running these scripts still executes network requests and subprocesses. No external archive downloads were observed in the provided files.
Credentials
The skill metadata declares no required env vars or primary credential, but the code reads and falls back to API keys (process.env.MINIMAX_API_KEY, process.env.MINIMAX_IMAGE_API_KEY) and contains default hard-coded API key strings embedded in the source. Hard-coded keys in code are a sensitive mismatch with the declared 'none' credential fields. The scripts also expect local sibling projects (video-director, minimax-tts) which increases the attack surface and privileges needed at runtime.
Persistence & Privilege
The skill is not always-enabled (always: false) so it won't be force-included. It does, however, execute subprocesses (execSync), require/require() other scripts by path, and includes a helper (produce_fix.js) that modifies produce.js on disk (self-modifying code). Those behaviors are not necessarily malicious but increase risk and mean the skill will perform file writes and arbitrary code execution when run.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install video-producer - 安装完成后,直接呼叫该 Skill 的名称或使用
/video-producer触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.2.1
修复视频发送无法正确加载本地文件的问题;修复场景切换时长计算错误;修复素材引用变量名错误;添加自定义结尾支持
元数据
常见问题
Video Producer 是什么?
短视频一键生成技能 v2.2。调用video-director进行画面规划,然后生成AI素材、TTS配音、视频渲染,输出完整MP4。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1055 次。
如何安装 Video Producer?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install video-producer」即可一键安装,无需额外配置。
Video Producer 是免费的吗?
是的,Video Producer 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Video Producer 支持哪些平台?
Video Producer 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Video Producer?
由 a1024708231(@a1024708231)开发并维护,当前版本 v2.2.1。
推荐 Skills