← 返回 Skills 市场
370299455cx-web

YM-MediaToolkit(媒体处理工具集)

作者 370299455cx-web · GitHub ↗ · v3.0.0 · MIT-0
cross-platform ⚠ suspicious
99
总下载
0
收藏
0
当前安装
5
版本数
在 OpenClaw 中安装
/install ym-mediatoolkit
功能描述
流式视频处理工具集 - 压缩、封面提取、音频转换,无需下载完整视频
安全使用建议
This skill appears to implement the advertised streaming media processing and includes URL and path checks, but there are multiple inconsistencies you should resolve before installing: (1) Ensure ffmpeg and ffprobe are installed on the host (they are required by the code but not declared in the top-level registry requirements). (2) The published version metadata (3.0.0) does not match the included skill.json/SKILL.md (2.1.0) — ask the author to explain/version-lock. (3) If you plan to run the HTTP server, install Flask (SKILL.md mentions it but requirements.txt omits it). (4) Run the skill in an isolated, non-root environment (container) with restricted outbound network access and a controlled working directory so sanitize_output_path cannot write to unintended locations (if the agent's working directory is '/', absolute writes may still be possible). (5) Test the URL validation behavior (DNS resolution fail-close, IPv6 mapping) in your environment to ensure legitimate sources you rely on are reachable. If the author can fix the manifest/version inconsistency and clearly document required binaries and Python deps, the skill is coherent; until then treat it as suspicious and run only in an isolated sandbox.
功能分析
Type: OpenClaw Skill Name: ym-mediatoolkit Version: 3.0.0 The ym-mediatoolkit skill is a well-structured video processing utility that uses ffmpeg and OpenCV for streaming compression and extraction. It demonstrates strong security practices by implementing robust SSRF protection (including DNS resolution checks and private IP blocking) and path traversal defenses in utils.py. The code logic is transparent, follows security best practices for subprocess handling, and is strictly aligned with its stated purpose of media manipulation without evidence of malicious intent.
能力标签
requires-oauth-tokenrequires-sensitive-credentials
能力评估
Purpose & Capability
Code files implement streaming compression, thumbnail extraction, and audio extraction consistent with the skill description. However the top-level registry metadata (Requirements: no binaries) contradicts the internal skill.json and README which state ffmpeg/ffprobe are required; the published version (3.0.0) also differs from skill.json/SKILL.md (2.1.0). These metadata mismatches are incoherent and could cause runtime failures or hide required privileges.
Instruction Scope
SKILL.md and run.py limit actions to fetching remote HTTP(S) video URLs, streaming-processing via ffmpeg/ffprobe, and saving outputs. The code performs DNS resolution and range requests to remote hosts and writes local output/temporary files. It does not request unrelated system secrets or attempt to read arbitrary host files. URL validation and output-path sanitization are applied before network I/O or file writes.
Install Mechanism
No install spec is provided (instruction-only), which reduces supply-chain risk. The README instructs 'pip install -r requirements.txt' (requests, opencv-python, numpy, aiohttp). However SKILL.md also asks to 'pip install flask flask-cors' for HTTP mode but flask is not listed in requirements.txt. The code calls external binaries via subprocess (ffmpeg, ffprobe) and skill.json documents them as required, but the registry 'Required binaries' field was empty — this mismatch should be resolved. No arbitrary remote downloads or URL shorteners are used in install steps.
Credentials
The skill declares no required environment variables or credentials and the code does not access secrets or environment variables. Network access is required (to fetch remote video URLs), which is proportionate to the stated functionality.
Persistence & Privilege
always:false and default autonomous invocation are used (normal). The skill writes local output and temporary files but does not modify other skill configurations or system-wide settings. The skill.json recommends containerized deployment and restricted privileges — appropriate given it performs network I/O and file writes.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install ym-mediatoolkit
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /ym-mediatoolkit 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v3.0.0
媒体处理工具集 - 压缩、封面提取、音频提取/格式转换,,无需下载完整视频
v2.0.2
- Improved security: All user-supplied output paths (`output_path`, `save_path`, `output_dir`) are now strictly checked against path traversal, system reserved names, and enforced to remain within the working directory. - Enhanced SSRF protection: Now, if DNS resolution fails when validating video source URLs, requests are rejected (fail-close strategy), preventing prior accidental bypass on DNS errors. - Updated documentation: Security section now details new output path validation, clarifies DNS error handling, and notes HTTP service defaults to 127.0.0.1 (local only). - Minor notes added to configuration (`clawhub.note`) reminding users not to expose the HTTP service directly to the internet by default.
v2.0.1
2.1.0 版本强调了安全防护增强,并补充了运行时部署指引: - 增强 validate_video_url(),多层校验防范 SSRF/LFI,包括协议、Unicode/Punycode 域名、IP段与 DNS 解析(含 IPv6)。 - 文档显式新增“安全部署指南”:涵盖容器隔离、最小权限、磁盘配额、临时目录清理与前置认证建议。 - 增加 validate_video_url() 检查细节和已知局限说明(如不防 DNS 重绑定、重定向限制)。 - 测试和用法说明中涵盖内网 IPv4/v6 及恶意域名的安全验证例子。 - 版本号从 2.0.0 升级到 2.1.0。
v2.0.0
Major update: Adds comprehensive video URL security validation and documentation. - Strict URL validation now blocks local files, internal IPs, loopbacks, and unsafe protocols to prevent LFI and SSRF attacks. - Validation is enforced before any video URL is processed by all features (compression, thumbnail, audio, info). - Only http:// and https:// video URLs are accepted. - New “security” tag added. - Documentation fully updated to detail security measures, endpoints, CLI usage, and architecture.
v1.0.0
- Introduced stream-based video processing; no need to download entire files. - Added video compression with adjustable output sizes and quality preservation. - Implemented thumbnail extraction at any timecode or frame. - Enabled audio extraction to MP3, WAV, AAC, and M4A formats. - All features use efficient streaming to save time and disk space.
元数据
Slug ym-mediatoolkit
版本 3.0.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 5
常见问题

YM-MediaToolkit(媒体处理工具集) 是什么?

流式视频处理工具集 - 压缩、封面提取、音频转换,无需下载完整视频. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 99 次。

如何安装 YM-MediaToolkit(媒体处理工具集)?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install ym-mediatoolkit」即可一键安装,无需额外配置。

YM-MediaToolkit(媒体处理工具集) 是免费的吗?

是的,YM-MediaToolkit(媒体处理工具集) 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

YM-MediaToolkit(媒体处理工具集) 支持哪些平台?

YM-MediaToolkit(媒体处理工具集) 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 YM-MediaToolkit(媒体处理工具集)?

由 370299455cx-web(@370299455cx-web)开发并维护,当前版本 v3.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论