by 安全扫描
OpenClaw
可疑
medium confidence该技能的声明用途(远程歌词同步渲染)与其运行时指令一致,但存在轻微的不一致以及隐私/行为方面的顾虑(自动回拨、配置路径的元数据不匹配、以及不透明的 token 处理),安装前请务必了解。
评估建议
This skill appears to do what it claims (upload a video to a Nemo backend and return a rendered, lyrics-synced file), but you should weigh privacy and transparency before installing:
- The skill will automatically connect to https://mega-api-prod.nemovideo.ai on first use and may auto-generate an anonymous token without an explicit consent step — expect network activity as soon as you open the skill.
- Uploaded media and any associated text/instructions are sent to the remote service; do not ...详细分析 ▾
ℹ 用途与能力
The skill claims to perform remote video lyric-syncing and all API endpoints and request patterns in SKILL.md align with that purpose. Requiring a NEMO_TOKEN is reasonable for a hosted rendering service. Minor inconsistency: the registry metadata reported no required config paths, but the skill's frontmatter includes configPaths ("~/.config/nemovideo/"). Also the skill declares NEMO_TOKEN required yet provides an anonymous-token auto-provision flow, which is functionally fine but could be misleading.
⚠ 指令范围
The SKILL.md instructs the agent to automatically connect to the remote backend on first open (POST to an external endpoint) and to auto-generate/store tokens and session IDs. That means the skill will 'phone home' and obtain credentials without an explicit user action beyond opening the skill. It also instructs reading install paths to set X-Skill-Platform headers (inspects ~/.clawhub/ and ~/.cursor/skills/), which requires inspecting local paths. The file-upload and render/export workflows send user media to an external domain (mega-api-prod.nemovideo.ai) — expected for the stated purpose but important to surface as a privacy risk.
✓ 安装机制
Instruction-only skill with no install spec and no code files — nothing is written to disk by an installer. This is the lowest install risk.
ℹ 凭证需求
Only one credential (NEMO_TOKEN) is declared as required and as primaryEnv, which is proportionate for a cloud rendering service. However, the skill's runtime will auto-provision an anonymous NEMO_TOKEN if none is present, so requiring the env var is partly informational. The frontmatter's configPaths entry is out-of-band relative to registry metadata and suggests it may access a local config directory; that should be justified to the user.
✓ 持久化与权限
always:false and no install or persistent modification of other skills are present. The skill stores a session_id for its own requests (expected). It does not request elevated or always-on privileges.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/19
- AI Unified Video Lyrics 首次发布。 - 利用 AI 即时将歌词同步为音乐视频的动态字幕。 - 支持上传 MP4、MOV、AVI、WebM 视频文件,最大 500MB;服务器端自动处理。 - 匿名 token 认证,简单配置,赠送 100 免费积分。 - 云端快速渲染,通常每段视频 1–2 分钟。 - 支持余额查询、状态更新及一键导出/下载流程。
● 无害
安装命令
点击复制官方npx clawhub@latest install ai-unified-video-lyrics
镜像加速npx clawhub@latest install ai-unified-video-lyrics --registry https://cn.longxiaskill.com
技能文档
------|------|------------| | “导出”/“download”/“发我视频” | → §3.5 导出 | ✅ | | “积分”/“credits”/“余额” | → §3.3 积分 | ✅ | | “状态”/“status” | → §3.4 状态 | ✅ | | “上传”/用户发文件 | → §3.2 上传 | ✅ | | 其他(生成、编辑、加 BGM…) | → §3.1 SSE | ❌ |
云渲染流程
每任务在云端 GPU 排队,合成视频层,按平台规格压缩(H.264,最大 1080×1920),30-90 秒返回下载链接。关闭页面前务必等待完成,否则任务孤儿。主要接口(均指向 https://mega-api-prod.nemovideo.ai):
- 会话 —
POST /api/tasks/me/with-session/nemo_agent - 对话 SSE —
POST /run_sse - 上传 —
POST /api/upload-video/nemo_agent/me/ - 积分 —
GET /api/credits/balance/simple - 状态 —
GET /api/state/nemo_agent/me//latest - 导出 —
POST /api/render/proxy/lambda+ 轮询GET /api/render/proxy/lambda/
支持格式:mp4、mov、avi、webm、mkv、jpg、png、gif、webp、mp3、wav、m4a、aac。
请求头必须携带:
Authorization: Bearer
X-Skill-Source: ai-unified-video-lyrics
X-Skill-Version: 1.0.0
X-Skill-Platform: clawhub|cursor|unknown
缺失归因头将 402 失败。