← 返回 Skills 市场
465
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install video-proof-skill
功能描述
Record video proof of implemented features after coding tasks complete. Use when a coding agent finishes work and needs to visually verify and demonstrate th...
安全使用建议
This skill appears to do what it says: it launches a server (via a start_command you provide), uses Playwright to record screen/screenshot/console logs, and writes proof artifacts. Before running: (1) review scripts/setup.sh because it will install node modules, download Chromium via npx playwright and may prompt for sudo to install ffmpeg — run it in a dev VM or container if you want isolation; (2) carefully review any proof-spec.yaml/start_command the agent will use — the skill will execute that shell command as-is, so do not let an untrusted agent choose a start_command or point it at production services; (3) avoid including secrets or production credentials in environment or repo paths used during recording, and review produced artifacts before committing (screenshots, logs, or API responses can include sensitive data); (4) if you need stricter control, run the scripts manually under an isolated user/container and inspect package.json changes and installed binaries first.
功能分析
Type: OpenClaw Skill
Name: video-proof-skill
Version: 1.0.1
The skill is highly suspicious due to its design allowing arbitrary shell command execution and broad network access. Both `scripts/record-proof.js` and `scripts/api-proof.js` execute user-provided `start_command` values directly via `spawn('sh', ['-c', ...])`, which is a critical Remote Code Execution (RCE) vulnerability. The `SKILL.md` and `references/proof-spec.md` explicitly instruct an AI agent to generate this `start_command` based on its task, creating a direct prompt injection vector for RCE. Additionally, `scripts/setup.sh` uses `sudo` for dependency installation, and `scripts/api-proof.js` can make arbitrary HTTP/HTTPS requests, further increasing the attack surface.
能力评估
Purpose & Capability
The name/description (record video/screenshot proof) match the included scripts (record-proof.js, api-proof.js) and the reference docs. The scripts implement UI walkthrough recording (Playwright) and API request checks, which is exactly what the skill claims to do.
Instruction Scope
SKILL.md and the scripts require you to provide a start_command (any shell command) or point to an already-running server and instruct the agent to produce artifacts and commit them. Allowing arbitrary start_command is necessary for the stated purpose (to start diverse stacks), but it also means the skill will run whatever command the agent or user supplies — verify the start_command and proof-spec before running, and avoid using secrets or production services in a recording run.
Install Mechanism
There is no platform package installer in the registry spec, but the included scripts/setup.sh installs npm packages (playwright, yaml), runs npx playwright install and may attempt to call system package managers (apt-get, brew, dnf, pacman) to install ffmpeg. This is expected for Playwright/video work but is invasive: it modifies (or creates) package.json, downloads node modules and browser artifacts, and may use sudo to install system packages.
Credentials
The skill declares no required env vars or credentials (ok). The scripts spawn the start_command with an env that inherits process.env, and setup.sh runs system package installers — running the skill in an environment with sensitive environment variables or secrets could expose them if the started process or agent-written start_command leaks them. The skill itself does not request unrelated cloud creds or tokens.
Persistence & Privilege
The skill is not forced-always-enabled and does not attempt to modify other skills or system-wide agent settings. It does persist artifacts into a local output directory by design. Autonomous invocation is allowed by default (platform behavior) but not combined with other elevated privileges here.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install video-proof-skill - 安装完成后,直接呼叫该 Skill 的名称或使用
/video-proof-skill触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Record video proof of working features with Playwright. Any stack, any start command.
v1.0.0
Record video proof of working features with Playwright. Any stack, any start command. UI + API proof modes.
元数据
常见问题
Video Proof 是什么?
Record video proof of implemented features after coding tasks complete. Use when a coding agent finishes work and needs to visually verify and demonstrate th... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 465 次。
如何安装 Video Proof?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install video-proof-skill」即可一键安装,无需额外配置。
Video Proof 是免费的吗?
是的,Video Proof 完全免费(开源免费),可自由下载、安装和使用。
Video Proof 支持哪些平台?
Video Proof 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Video Proof?
由 rikisann(@rikisann)开发并维护,当前版本 v1.0.1。
推荐 Skills