← 返回 Skills 市场
488
总下载
0
收藏
0
当前安装
18
版本数
在 OpenClaw 中安装
/install zimujun
功能描述
字幕菌(zimujun):从主流视频平台链接提取视频文案/字幕文本。适用于 YouTube、TikTok/抖音、小红书、Bilibili 等平台。
安全使用建议
This skill appears to do what it claims (call an npm client to extract subtitles) but has several red flags you should consider before installing or using it:
- Do not paste your API key into chat. The SKILL.md explicitly invites users to 'send the key to me' so the agent can set the env var — this is unsafe. If you must use the service, set ZMJ_API_KEY as an environment variable locally or in a controlled runtime, not via chat.
- Running npx --yes zimujun@latest fetches and executes remote code unpinned from npm. That code could change over time. Prefer that the publisher provide a pinned version, a package checksum, or a link to a public source repo before running it. Consider running in an isolated VM/container.
- Ask the maintainer for the package homepage/source and for the reason the registry metadata omits ZMJ_API_KEY. Lack of a homepage and unknown source increases risk.
- If you proceed, verify the npm package author and reviews, and run the tool in an environment where it cannot access sensitive files or credentials beyond ZMJ_API_KEY.
If you want help formulating questions to the skill author (e.g., request source code, pinned release, or checksum), I can draft them for you.
功能分析
Type: OpenClaw Skill
Name: zimujun
Version: 1.0.17
The skill utilizes `npx --yes zimujun@latest` in `SKILL.md` to dynamically download and execute code from npm at runtime, which introduces a supply chain risk. Furthermore, the instructions explicitly direct the AI agent to solicit the `ZMJ_API_KEY` from the user within the chat interface if it is missing, encouraging risky credential-handling practices. While these actions are aligned with the tool's stated purpose of subtitle extraction via a third-party service (devtool.uk), the combination of dynamic remote execution and active credential solicitation warrants a suspicious classification.
能力评估
Purpose & Capability
Name/description (extract subtitles) aligns with requiring node/npx and an API key for a backend service. However, the registry metadata lists no required env var while SKILL.md mandates ZMJ_API_KEY — a metadata/instruction mismatch.
Instruction Scope
SKILL.md tells the agent to run 'npx --yes zimujun@latest "<url>"', read ZMJ_API_KEY from the environment, and — problematically — explicitly offers the user the option to '直接密钥发给我,我会帮你设置环境变量' (send the secret to the agent so it can set the env var). That encourages secret disclosure in chat. The instructions also require returning/transmitting fetched content and error messages; they do not request unrelated files, but they permit running arbitrary downloaded code.
Install Mechanism
No install spec in registry, but runtime uses npx to pull and execute the latest package from npm. Using 'npx --yes' + '@latest' runs remote code unpinned and auto-accepts prompts — this is a moderate-to-high risk install pattern because the executed package comes from the network and could change.
Credentials
Only one credential (ZMJ_API_KEY) is required by the SKILL.md, which is proportionate to a service-backed extractor. But the skill's registry metadata omitted this requirement. More importantly, the skill's instructions invite users to paste the API key into chat for the agent to set — that is an unnecessary and unsafe vector for secret disclosure.
Persistence & Privilege
always is false, no install script or persistent system modifications are declared, and the skill does not request access to other skills' configs or system-wide credentials. Autonomous invocation is allowed (platform default) but not combined with other privileges here.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install zimujun - 安装完成后,直接呼叫该 Skill 的名称或使用
/zimujun触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.17
- Added strict guidance to always include the purchase/learn link (https://devtool.uk/plugin) when `ZMJ_API_KEY` is missing.
- Standardized error messaging for missing API Key, requiring a template message with link and setup instructions.
- Clarified that only stating "set the environment variable" is insufficient—must also provide the purchase link.
- Added a ready-to-use Markdown template for API Key missing scenario.
- No code changes detected; documentation and messaging requirements updated.
v1.0.16
No code changes, only minor documentation updates:
- Clarified user guidance to visit https://devtool.uk/plugin when setting the ZMJ_API_KEY environment variable.
- Updated related usage and error documentation to maintain consistency in API key setup instructions.
v1.0.15
- Updated the plugin description for clarity; removed "通过 npm 包 zimujun" and simplified language.
- Improved the opening usage scenario to clarify when to use the plugin.
- No changes to technical usage, inputs, outputs, or platform support.
- Documentation is now clearer and easier to understand for users.
v1.0.14
zimujun 1.0.14
- 精简和整合运行及输出规范,提升易用性。
- 用法说明进一步简化,强调一条命令即可使用,并提供获取密钥指引。
- 输入、输出和多链接处理规则更突出,方便理解和操作。
- 明确安全要求:结果需真实透传,禁止虚构内容或泄露密钥。
- 常见失败原因与解决方式一目了然。
v1.0.13
No user-facing changes in this version.
- No file changes detected.
v1.0.12
No user-facing changes in this version.
- No file changes detected.
v1.0.11
- Always uses the latest zimujun version via npx (`npx --yes zimujun@latest`) for improved stability and features.
- Declares npm dependency for zimujun in metadata for better framework support.
- Simplifies installation steps: prioritizes npx usage, avoids full global install.
- Metadata updated to specify required binaries and add an emoji.
- Documentation clarified and updated for invocation and error handling.
v1.0.10
- Migrated implementation from Python scripts to the npm package zimujun, removing previous JS and Python files.
- Updated SKILL.md to reflect new installation, execution, and error handling processes based on the zimujun npm package.
- Adjusted runtime requirements to depend on Node.js tools (node, npm, pnpm, npx) instead of Python.
- Simplified and standardized input handling, command invocation, and output format guidance.
- Expanded troubleshooting advice for environment setup and API key issues.
- Introduced stricter requirements for command usage and result transparency.
v1.0.9
- Added built-in long-running task support via execute.js, enabling progress updates and timeout protection.
- Now automatically marks tasks as long-running and pushes progress every 20 seconds.
- Enhanced documentation to detail the new long task execution mode and usage.
- No changes to input/output specification or platform support.
v1.0.8
zimujun 1.0.8
- 缩短了任务耗时说明,从“3–25 分钟”调整为“3–10 分钟”。
- 删除了“执行规范”部分,简化使用流程描述。
- 明确“输出规范”,增加成功时需返回文案文本、失败时需返回错误信息。
- 移除了关于环境变量 `ZMJ_API_KEY` 缺失的处理说明。
- 文档整体更加简明易读。
v1.0.7
zimujun 1.0.7
- 移除“重要行为准则”部分,简化使用说明。
- 其他内容和功能不变。
v1.0.6
zimujun 1.0.6
- 强化了 Skill 执行的环境建议,明确推荐使用独立 sub-agent(子代理)运行本 Skill。
- 新增开发者特别说明:本 Skill 为中长耗时任务,协作与上下文隔离建议更加详细。
- 推荐主代理使用 `sessions_spawn` 启动独立子代理,包含 spawn 参数与最佳实践说明。
- 其他运行规范、输入/输出规范和安全要求保持一致。
v1.0.5
- 强制要求必须通过 sub-agent 执行本 Skill,不允许主代理直接调用。
- 若当前环境不支持 sub-agent,需明确告知用户无法按规定执行。
- 执行流程和优先级约束已更新,需优先创建和调用 sub-agent 再进行操作。
- 其余使用方式和行为准则保持不变。
v1.0.4
No file changes detected; documentation (SKILL.md) updated with important new behavior guidelines:
- Added a new section clarifying that some operations can take several minutes or longer, and this is normal.
- Clearly instructs users (and agents) not to retry, report failure, or loop tool calls when receiving "processing", "pending", or similar statuses.
- Provides examples of correct status updates to give while waiting for long tasks.
- Specifies to only treat the process as failed if a clear error is returned—not simply due to timeouts or long waits.
v1.0.3
No user-visible changes in this version.
- No file changes detected.
- No updates to documentation or functionality.
v1.0.2
zimujun 1.0.2 Changelog
- Simplified and reorganized documentation for a clearer quick start and usage guide.
- Merged and condensed platform and input rules for easier reference.
- Clarified the API key requirement and failure handling.
- Tightened output and safety requirements.
- No functional or code changes; only documentation improved.
v1.0.1
- Enhanced input handling: now supports extracting video links from mixed or full share texts (not just plain URLs).
- Added detailed rules for link extraction, including prioritizing major video platforms and handling multiple links with user confirmation.
- No code or file changes; documentation update only.
v1.0.0
zimujun 1.0.0
- Initial release: extract transcript/subtitle text from major video platform links (YouTube, TikTok/抖音, 小红书, Bilibili, etc.).
- Accepts one required input: video URL.
- Requires ZMJ_API_KEY from environment variable before running; prompts user if missing.
- Runs via a provided Python script (not with raw curl).
- Output includes input URL, success/failure status, key response fields, and actionable suggestions on failure.
- No need to specify language or expose API keys in logs.
元数据
常见问题
字幕菌 是什么?
字幕菌(zimujun):从主流视频平台链接提取视频文案/字幕文本。适用于 YouTube、TikTok/抖音、小红书、Bilibili 等平台。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 488 次。
如何安装 字幕菌?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install zimujun」即可一键安装,无需额外配置。
字幕菌 是免费的吗?
是的,字幕菌 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
字幕菌 支持哪些平台?
字幕菌 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 字幕菌?
由 kyris wu(@kyriswu)开发并维护,当前版本 v1.0.17。
推荐 Skills