← 返回 Skills 市场
Web2Labs Studio
作者
Philipp Fanta
· GitHub ↗
· v1.0.1
447
总下载
2
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install web2labs-studio
功能描述
Edit my recording, turn a long video into shorts, generate captions and thumbnails, estimate cost before processing. Upload local files or YouTube/Twitch URL...
安全使用建议
This skill appears coherent for controlling the Web2Labs Studio service from your agent. Before installing: (1) Only provide WEB2LABS_API_KEY if you trust web2labs.com; the key will be stored in ~/.openclaw/openclaw.json (the code attempts chmod 600). (2) Be cautious when supplying webhook_url values — the skill will POST job results to whatever callback URL you provide (so do not point that at an untrusted endpoint if you want to keep outputs private). (3) yt-dlp will be executed for URL inputs; ensure you are comfortable with the skill running that binary and writing temporary files. (4) If you want strict budget control, configure WEB2LABS_SPEND_POLICY or the WEB2LABS_AUTO_SPEND_* env vars before use. Overall this skill is internally consistent with its stated purpose; if you need higher assurance, confirm the network domains contacted (baseUrl defaults to https://www.web2labs.com) and review the small set of included npm dependencies in package-lock.json.
功能分析
Type: OpenClaw Skill
Name: web2labs-studio
Version: 1.0.1
The OpenClaw Studio skill is designed with strong security controls, explicitly addressing common attack vectors. It prevents credential leakage by stripping authentication headers for non-Web2Labs domains (`src/lib/api-client.mjs`), sanitizes remote filenames to prevent path traversal during downloads (`src/tools/download.mjs`), and uses `execFileAsync` for `yt-dlp` execution with carefully constructed arguments to mitigate shell injection risks (`src/lib/downloader.mjs`). API keys are stored locally with restricted permissions (`~/.openclaw/openclaw.json`, `chmod 600`). The `SKILL.md` instructions guide the AI agent in a safe and cost-aware manner, reinforcing guardrails against misuse. There is no evidence of intentional harmful behavior, obfuscation, or unauthorized data exfiltration.
能力评估
Purpose & Capability
Name/description (cloud video editing: upload, render, thumbnails, cost estimates) match the implemented tools and network calls to web2labs.com. Declared primary credential (WEB2LABS_API_KEY), Node.js requirement, and permissions (network, filesystem) are appropriate for downloading URLs (yt-dlp), uploading files, polling results, and writing outputs/config. No unrelated credentials or unexpected binaries are requested.
Instruction Scope
SKILL.md and code instruct the agent to run yt-dlp for URL downloads, call Web2Labs APIs, optionally register webhooks, poll via WebSocket/HTTP, and write the API key into ~/.openclaw/openclaw.json. These are within the skill's stated purpose. Two notes: (1) the skill will send project.completed callbacks to any webhook_url the user supplies — that is expected functionality but could send user data to an attacker-controlled endpoint if the user configures one, (2) SKILL.md references additional env vars controlling spend policy (WEB2LABS_SPEND_POLICY and WEB2LABS_AUTO_SPEND_MAX_*) that are used for behavior but are not listed in the registry's required env list.
Install Mechanism
There is no external download/install step in the manifest (no remote URL or package install during agent install). The package includes Node.js source files and a package.json with standard npm dependencies (node-fetch, socket.io-client, form-data, zod, and an MCP SDK). This is a typical embedded skill server implementation and not a high-risk remote-install pattern. No extracted remote archives or shortener/personal-server download URLs were observed.
Credentials
The only declared primary credential is WEB2LABS_API_KEY which is proportional to the skill's function. The skill also documents optional env vars (WEB2LABS_SPEND_POLICY and multiple WEB2LABS_AUTO_SPEND_MAX_* caps) used to control spend behavior; these are reasonable but not listed under requires.env in the registry metadata. The code implements logic to avoid sending auth headers to non-Web2Labs domains (shouldAttachAuth) and stores the API key in the OpenClaw config with file-permissions hardening (chmod 600 attempt).
Persistence & Privilege
always:false (no forced inclusion). The skill writes its API key into ~/.openclaw/openclaw.json and sets its own entry enabled — this is standard onboarding behavior for many skills. It does modify the global OpenClaw config only to store its own credentials/enablement, which is expected for a user-approved API key storage but worth noting to users who prefer not to store credentials on disk.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install web2labs-studio - 安装完成后,直接呼叫该 Skill 的名称或使用
/web2labs-studio触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Release of the Web2Labs Studio Skill
元数据
常见问题
Web2Labs Studio 是什么?
Edit my recording, turn a long video into shorts, generate captions and thumbnails, estimate cost before processing. Upload local files or YouTube/Twitch URL... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 447 次。
如何安装 Web2Labs Studio?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install web2labs-studio」即可一键安装,无需额外配置。
Web2Labs Studio 是免费的吗?
是的,Web2Labs Studio 完全免费(开源免费),可自由下载、安装和使用。
Web2Labs Studio 支持哪些平台?
Web2Labs Studio 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Web2Labs Studio?
由 Philipp Fanta(@vinlow)开发并维护,当前版本 v1.0.1。
推荐 Skills