by 安全扫描
OpenClaw
可疑
medium confidenceThe 技能 应用ears to implement an AI video-editing 工作流 that matches its description, but it asks for and uses user 令牌s without declaring them, directs the 代理 to 请求 令牌s in-chat, and includes networked code and crypto 记录ic with undeclared dependencies — these inconsistencies and 凭证-handling choices are concerning.
评估建议
This 技能 implements the expected video-editing flow but has several red flags you should consider before 安装ing: (1) It requires a 服务 令牌 (应用secret/XJD_令牌) but does not declare it in the registry; the 技能.md instructs the 代理 to ask you to paste the 令牌 into chat — do NOT paste long-lived or sensitive 令牌s into a chat. Prefer 设置ting XJD_令牌 as an 环境 variable in a controlled 环境. (2) The code will 上传 your video/audio to external 服务s (biyi.cxtfun.com and API-cutflow.fun.tv) and will 发送 the 令牌 in 请求 headers...详细分析 ▾
ℹ 用途与能力
Files and 技能.md implement a video 上传, OCR, ASR, 命令行工具pping, TTS and final compose 工作流 calling biyi.cxtfun.com and API-cutflow.fun.tv — this aligns with the 'video editing' purpose. However the 技能 metadata declares no required env vars or primary 凭证 while the code and 运行time instructions clearly rely on a user 令牌 (XJD_令牌 / 应用secret). That mismatch (no declared 凭证 but 运行time 令牌 usage) is unexpected.
⚠ 指令范围
SKILL.md 明确指示:若未设置环境变量,则提示用户直接在对话中粘贴“小剪刀 Token”;并指示将视频文件/URL 发送至外部服务,返回已签名的 OSS URL。要求用户在聊天中提供密钥并引导助手接受,实质将技能范围扩展至凭据收集/外泄,超出简单编辑范畴。说明虽允许将 Token 存于环境变量,但未强制,也未限制其处理方式。
ℹ 安装机制
There is no 安装 spec (instruction-only style), which minimizes 安装-time risk. But the bundle includes Python 模块s that depend on third-party packages (请求s, pycryptodome) that are not declared in the 技能 metadata or 技能.md. 运行ning the 技能 will therefore require 安装ing these dependencies on the host, which the metadata does not warn about.
⚠ 凭证需求
The code requires a 服务 令牌 (used as 应用secret/X-API-令牌) but the 技能's declared required env vars is empty. The 技能.md encourages direct in-chat 令牌 entry and also suggests using XJD_令牌 for persistent use — 请求ing a 凭证 but not declaring it is disproportionate and increases accidental exposure risk. The 技能 will 发送 上传ed video/audio/subtitle data and the 令牌 to remote 端点s (biyi.cxtfun.com, API-cutflow.fun.tv), which users should expect but may not realize from the registry metadata.
✓ 持久化与权限
该 skill 未声明 always:true,可由用户调用;不会尝试修改其他 skill 或系统级配置。默认允许自主调用,但在 manifest 中未与其他高权限组合。
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/4/21
xiaojiandao 1.0.1 - No code or documentation changes 检测ed in this version. - No new features, fixes, or 更新s introduced.
● 无害
安装命令
点击复制官方npx clawhub@latest install xiaojiandao
镜像加速npx clawhub@latest install xiaojiandao --registry https://cn.longxiaskill.com镜像同步中