← 返回 Skills 市场
Volcengine Digital Human Video Generator
作者
xiaoxiaole2025
· GitHub ↗
· v1.0.4
· MIT-0
112
总下载
0
收藏
0
当前安装
5
版本数
在 OpenClaw 中安装
/install volc-digital-human
功能描述
火山引擎数字人视频生成技能。当用户发送照片并提供对白或配音文案,要求生成数字人口播视频时触发。全自动完成:图片上传、形象创建、TTS配音(自动性别检测、多音色匹配)、视频合成、最后发回给用户。触发词包括数字人、视频合成、口播视频、数字人视频。
安全使用建议
Key things to consider before installing or using this skill:
- Do not upload sensitive or private images/audio. The skill uploads user-provided media to public file hosts (catbox.moe, 0x0.st / references mention uguu.se) so anyone with the URL can access them during processing.
- The package contains a config.json with hard-coded AK/SK credentials. Treat this as insecure: either remove that file, replace the credentials with your own, or set VOLC_AK/VOLC_SK in environment variables. If you cannot verify those keys' ownership, do not rely on them — they may be leaked or abused.
- Consider rotating any Volcengine keys you plan to use for this skill and use a minimal-permission RAM user for the Digital Human service only.
- The script can download ML models at runtime (deepface/retinaface) and calls external services; run it in an isolated environment (container) if you need to limit network/file-system exposure.
- Verify and/or pin dependency installation (edge-tts, ffmpeg, OpenCV, deepface) in a controlled environment; the package does not provide an install step.
If you need this capability but are uncomfortable with public uploads or embedded credentials, ask the skill author to remove the bundled config.json, provide clear metadata declaring required env vars, and offer an option to use private storage (your own S3/minio) instead of public file hosts.
功能分析
Type: OpenClaw Skill
Name: volc-digital-human
Version: 1.0.4
The skill poses significant privacy and security risks by uploading user-provided images and generated audio to public anonymous file-sharing hosts (catbox.moe and 0x0.st) to facilitate Volcengine API calls, as seen in scripts/volc_digital_human.py. It also contains hardcoded Volcengine credentials in config.json, which contradicts security warnings in SKILL.md. Furthermore, the use of subprocess.run to execute ffmpeg and edge-tts with potentially unsanitized user input presents a command injection vulnerability.
能力评估
Purpose & Capability
The name/description (Volcengine digital human video generator) match the code and instructions: image upload → create avatar → TTS → synthesize video. Requiring Volcengine AK/SK, TTS (edge-tts) and ffmpeg is coherent. However the registry metadata at the top claimed no required env vars/credentials while SKILL.md and the script explicitly require VOLC_AK/VOLC_SK and even include a config.json with AK/SK — that metadata mismatch is unexpected and should be explained by the author.
Instruction Scope
The SKILL.md and script instruct the agent to read images from /root/.openclaw/media/inbound and to upload user images/audio/video to public file hosts (catbox.moe, 0x0.st; references also mention uguu.se). Reading inbound media and calling external APIs is necessary for the task, but automatic public hosting of user-supplied images/audio is a significant privacy risk. The SKILL.md warns about this, but the automation will still expose content publicly during processing — verify users understand this before use.
Install Mechanism
No install spec (instruction-only), so nothing is written by an installer. The script has heavy runtime dependencies (opencv, deepface/retinaface, numpy, edge-tts, ffmpeg) and deepface may download models at runtime. Lack of an install spec means dependency installation/behavior (and model downloads) will happen outside the package and should be managed explicitly.
Credentials
Requesting VOLC_AK and VOLC_SK is appropriate for calling Volcengine. However the included config.json in the package contains ak/sk values (hard-coded credentials). Shipping credentials in a skill package is a serious red flag: it may be a leaked/shared key or intentionally embedded account credentials. The script will read a config.json in its directory if env vars are not set, causing accidental use of those embedded credentials. This is disproportionate and may grant the package author (or whoever controls that account) access to usage and uploaded content.
Persistence & Privilege
always:false and normal autonomous invocation are fine. The skill reads from the agent's inbound media directory and writes temporary files under /tmp and its own workspace; it does not modify other skills or system-wide configs. Still, the combination of autonomous invocation plus public uploads means the agent could automatically expose user media when invoked — be cautious about enabling it for unattended runs.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install volc-digital-human - 安装完成后,直接呼叫该 Skill 的名称或使用
/volc-digital-human触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.4
Add required_env_vars, runtime_dependencies, file_upload_hosts, and privacy notice to manifest. Fix docs inconsistency (uguu->catbox). Add English version of documentation.
v1.0.3
Remove hardcoded credentials from references/volc_api.md and clarify user setup instructions
v1.0.2
Fix: Add .skillignore to exclude config.json with hardcoded credentials
v1.0.1
Initial release: Generate talking avatar videos from photos
v1.0.0
首个版本
元数据
常见问题
Volcengine Digital Human Video Generator 是什么?
火山引擎数字人视频生成技能。当用户发送照片并提供对白或配音文案,要求生成数字人口播视频时触发。全自动完成:图片上传、形象创建、TTS配音(自动性别检测、多音色匹配)、视频合成、最后发回给用户。触发词包括数字人、视频合成、口播视频、数字人视频。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 112 次。
如何安装 Volcengine Digital Human Video Generator?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install volc-digital-human」即可一键安装,无需额外配置。
Volcengine Digital Human Video Generator 是免费的吗?
是的,Volcengine Digital Human Video Generator 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Volcengine Digital Human Video Generator 支持哪些平台?
Volcengine Digital Human Video Generator 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Volcengine Digital Human Video Generator?
由 xiaoxiaole2025(@xiaoxiaole2025)开发并维护,当前版本 v1.0.4。
推荐 Skills