← 返回 Skills 市场
Videoinu
作者
everfirdev
· GitHub ↗
· v1.0.1
· MIT-0
88
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install videoinu
功能描述
Videoinu platform skill — manage projects via Graphs (canvases), upload/download files, chat with AI Agents, and run Workflows. Use when: user mentions Video...
安全使用建议
This package appears to be a real Videoinu CLI implemented in Python and performs the operations described, but there are a few actionable concerns to consider before installing:
- Metadata mismatch: The skill registry entry claims no required credentials, but SKILL.md and the code require VIDEOINU_ACCESS_KEY and read/write ~/.videoinu/credentials.json. Treat this as a red flag in the publisher hygiene (ask publisher to correct metadata).
- Sensitive token handling: The access key is effectively an account token (JWT). Prefer exporting VIDEOINU_ACCESS_KEY in a secure environment rather than saving it with auth.py unless you trust the machine and the skill. If you do save it, auth.py sets restrictive permissions, which is good.
- BASE_URL is configurable: The code respects VIDEOINU_API_BASE, which if set to a malicious host would cause credentials and data to be sent there. Do not set VIDEOINU_API_BASE to an untrusted URL.
- Code review: The included scripts are readable and use only the standard library (no obfuscated or downloader logic). If you do not trust the publisher or the unknown source, consider running the scripts in an isolated environment (VM/container) or manually inspecting the files (they are provided) before use.
- Verification steps: Run `python3 auth.py status` and `python3 auth.py verify` (the latter will call the API) to confirm expected behavior. If you want stronger guarantees, ask the publisher to: (1) publish a homepage/source link, (2) correct the registry metadata to declare VIDEOINU_ACCESS_KEY as the primary credential, and (3) sign/release the package from a known source.
Given the metadata omission and the sensitivity of the access token, I rate this as suspicious (medium confidence) rather than clearly benign. If you trust the skill's origin and videoinu.com, the code appears consistent with its stated purpose.
功能分析
Type: OpenClaw Skill
Name: videoinu
Version: 1.0.1
The videoinu skill bundle provides a legitimate set of tools for interacting with the Videoinu platform, including project management, file transfers, and AI agent communication. The scripts (e.g., auth.py, agent_chat.py, upload_file.py) use only the Python standard library and follow security best practices by restricting permissions on the local credentials file (~/.videoinu/credentials.json) to the owner only. No evidence of data exfiltration, malicious execution, or prompt injection was found; the custom WebSocket implementation in _common.py is a standard RFC 6455 compliant client used to avoid external dependencies.
能力评估
Purpose & Capability
The skill's name/description and included Python scripts consistently implement a Videoinu client (graph management, uploads, agent chat, workflows). However the registry metadata for the skill claims no required environment variables or primary credential, while SKILL.md and the code clearly require an access key (VIDEOINU_ACCESS_KEY) and read ~/.videoinu/credentials.json. That metadata omission is an incoherence that affects trust and permission review.
Instruction Scope
The SKILL.md instructs the agent/user to use the bundled Python scripts and not to call the API directly; the scripts do exactly what is described (HTTP calls to BASE_URL, WebSocket chat, upload/download files). The scripts read an access key from an env var or ~/.videoinu/credentials.json and use it as a Cookie header to call the Videoinu API. They access only the user's home (~/.videoinu) for credentials and standard local files for upload/download. There are no unexpected remote endpoints embedded in the code; the API base is configurable via VIDEOINU_API_BASE (defaults to https://videoinu.com).
Install Mechanism
There is no install specification that downloads or executes remote artifacts; the skill is delivered as code files (Python scripts) and SKILL.md. The scripts only use the Python standard library. No external package downloads or third-party install URLs are present in the bundle.
Credentials
The code requires a sensitive credential (VIDEOINU_ACCESS_KEY) and will persist it to ~/.videoinu/credentials.json if the provided auth helper is used. The registry metadata did not declare this required env var/primary credential, which is a mismatch. The credential is treated as a JWT and used as a Cookie token for API requests — leaking it would enable account access. Aside from the access key and optional VIDEOINU_API_BASE, no other credentials are requested.
Persistence & Privilege
The skill does not request 'always: true' and will not force-install itself. It writes a credentials file to ~/.videoinu when you run auth.py save; auth.py sets file permissions to owner read/write only. The skill does not modify other skills' configs or system-wide settings. Agent autonomous invocation is allowed (default) but not uniquely risky here.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install videoinu - 安装完成后,直接呼叫该 Skill 的名称或使用
/videoinu触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Translate all documentation to English for international users
v1.0.0
Initial release: Graph management, Agent chat, file upload/download, Workflow execution
元数据
常见问题
Videoinu 是什么?
Videoinu platform skill — manage projects via Graphs (canvases), upload/download files, chat with AI Agents, and run Workflows. Use when: user mentions Video... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 88 次。
如何安装 Videoinu?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install videoinu」即可一键安装,无需额外配置。
Videoinu 是免费的吗?
是的,Videoinu 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Videoinu 支持哪些平台?
Videoinu 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Videoinu?
由 everfirdev(@everfirdev)开发并维护,当前版本 v1.0.1。
推荐 Skills