Withme Youtube

With me. YouTube 频道 Lofi 氛围视频制作全流程。小米（Content）全权调度，从选题到发布一条龙。含 AI 图片生成、Envato 音频下载、FFmpeg 合成、SEO 资料包、YouTube 上传排程、Shorts 切片。触发词：withme、lofi视频、氛围视频、YouTube发布、...

What to check before installing or running this skill: - Ask the author to explicitly declare required credentials and files (e.g., GEMINI_API_KEY, path to youtube_client_secret.json or a GOOGLE_CLIENT_* env, Envato account) in the skill metadata. Do not rely on the skill reading ~/.openclaw/openclaw.json or other shared files implicitly. - Review any external scripts the SKILL.md executes (generate_image.py, youtube_upload.py) before running them. Those scripts run with your account privileges and could exfiltrate keys or delete files. - Confirm where youtube_client_secret.json and the Envato account credentials are stored and whether you're comfortable granting the skill access. Prefer explicit env variables or OAuth flows rather than the agent reading other skills' files. - The skill instructs use of the Chrome DevTools Protocol (127.0.0.1:18800 and webSocketDebuggerUrl) and Page.setDownloadBehavior to automate downloads. Ensure the browser/CDP endpoint is not exposed to untrusted networks and that you trust the automation flow — CDP access can be powerful and used to drive downloads or click arbitrary buttons. - Run the workflow in a sandboxed environment or test account first (no production Google account) to verify behavior and to ensure it doesn't leak credentials or upload unintended content. - If you still want to use this skill, request the author update SKILL.md/metadata to list all required credentials and the exact external scripts, and provide/verifiy the source for those scripts so you can audit them. Why this is rated suspicious (not outright malicious): The actions described are consistent with legitimate automation for producing and uploading videos, but the skill omits explicit declarations of sensitive dependencies and instructs access to local secret/config files and CDP. That mismatch could be benign oversight or sloppy engineering — but it also increases the risk of secret exposure, so proceed with caution.

Type: OpenClaw Skill Name: withme-youtube Version: 2.1.0 The skill bundle automates a complex YouTube video production pipeline but contains instructions in SKILL.md to intentionally bypass the 'Main' agent's oversight and inspection mechanism (pending.json). It features high-risk behaviors including programmatically extracting API keys from local configuration files (~/.openclaw/openclaw.json) and using Chrome DevTools Protocol (CDP) via websockets to manipulate browser behavior, automate downloads, and circumvent Cloudflare protections. While these actions support the stated automation goals, the circumvention of security gates and direct handling of sensitive credentials represent significant risks.