📦 zxcvbnm-mnbvcxz — AI视频生成
v1.0.1调用AIVideoMaker API,一键完成文本/图片转视频任务创建、状态轮询与详情获取,全流程自动化。
0· 85·0 当前·0 累计
by 下载技能包
最后更新
2026/3/25
安全扫描
OpenClaw
可疑
medium confidenceThe code and runtime instructions match the stated AIVideoMaker API purpose, but metadata mismatches (skill name/slug/version), small manifest inconsistencies, and the package including executable JS files despite being advertised as instruction-only make the package suspicious and worth extra scrutiny before installing.
评估建议
This package's code implements the AIVideoMaker API and appears to only use the AIVIDEO_API_KEY to call the vendor's endpoints, which is consistent with its advertised functionality. However, before installing: 1) Verify origin — the published skill name (zxcvbnm-mnbvcxz) and registry metadata do not match internal filenames and manifest (aivideo-api-executor) and versions differ; this could be an accidental mispackaging or a sign it was republished under a different name. 2) Confirm you trust t...详细分析 ▾
ℹ 用途与能力
The implementation (scripts/*, references/*, contract validation) clearly implements an AIVideoMaker API workflow and only requires an AIVIDEO_API_KEY and node. That capability is coherent with the described purpose. However, the published skill name (zxcvbnm-mnbvcxz) and registry metadata do not match internal filenames/_meta.json/manifest (aivideo-api-executor), and the registry version (1.0.1) differs from package version (1.0.12). These metadata mismatches are unexpected and reduce trust.
✓ 指令范围
SKILL.md and the scripts restrict actions to: accept CLI payload, validate payload, and call the AIVideoMaker API endpoints (baseUrl defaults to https://aivideomaker.ai). The code reads only process.env.AIVIDEO_API_KEY and CLI args; it does not read arbitrary host files or other env vars. Logging masks headers and strips headers from log output. No evidence of data exfiltration to unexpected endpoints.
✓ 安装机制
There is no installer that downloads remote code; the package includes local JS files only (low install risk). No external archives or obscure URLs are fetched during install. Note: package.json requires node but the package lists engines >=14; the code uses fetch which may require Node >=18 to work as-is—this is a runtime compatibility issue, not a direct security problem.
ℹ 凭证需求
The only required secret is AIVIDEO_API_KEY (declared in several places). Optional env variables (AIVIDEO_TIMEOUT_MS, AIVIDEO_MAX_RETRIES) are reasonable. One inconsistency: top-level 'Requirements' summary said 'required binaries: none' but SKILL.md and clawhub.manifest.json declare node as required. Primary credential was missing in the initial registry summary but present in manifest — small inconsistencies that should be reconciled.
✓ 持久化与权限
always:false and model invocation not disabled (platform default). The skill does not request persistent system privileges, does not modify other skills, and does not require system config-path access.
⚠ scripts/aivideo-client.mjs:5
Environment variable access combined with network send.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/3/25
- Removed example input and smoke test script files, reducing bundled samples and testing code. - No changes to skill functionality or API—core execution workflow remains the same. - Updated documentation with improved action definitions, security practices, and required environment metadata.
● 无害
安装命令
点击复制官方npx clawhub@latest install zxcvbnm-mnbvcxz
镜像加速npx clawhub@latest install zxcvbnm-mnbvcxz --registry https://cn.longxiaskill.com