Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Doubao Image Video
v0.3.1豆包图片与视频生成原生技能。适用于用户提到豆包、文生图、图生图、文生视频、图生视频、查询视频生成任务、等待任务完成或下载最终视频时,直接调用火山引擎 Ark 接口,不依赖外部 MCP 服务。
⭐ 1· 49·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and description state it talks to Volcengine Ark for image/video generation and the script (scripts/doubao_media.py) implements exactly that behavior (image/video generation, task polling, optional download). Requiring an Ark API key is coherent with the stated purpose. However, the top-level registry metadata claims there are no required environment variables while the SKILL.md and script require DOUBAO_API_KEY; this metadata mismatch is inconsistent.
Instruction Scope
SKILL.md instructs running the included python script which only contacts the documented Ark endpoints, polls tasks, and optionally downloads resulting video files to a user-specified path. The instructions avoid reading unrelated local files or environment secrets beyond the declared DOUBAO_* variables and explicitly state not to download user-provided image URLs unless asked. Behavior is within the stated scope.
Install Mechanism
This is an instruction-only skill with one included Python script and no install spec. It requires python3 on PATH — nothing is downloaded or executed from arbitrary URLs. Risk from installation is low.
Credentials
The code requires a single sensitive env var DOUBAO_API_KEY to authenticate to Ark, which is appropriate for this purpose. However, the registry metadata provided with the skill lists 'Required env vars: none' while SKILL.md metadata and the script require DOUBAO_API_KEY (and define optional DOUBAO_* env vars). That discrepancy is a provenance/configuration issue that could lead to silent failures or surprising prompts; it should be resolved before trusting the skill. No unrelated credentials are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent platform privileges. It does write downloaded video files only when the user specifies a --download-to path, which is expected behavior.
What to consider before installing
This skill's code matches its description: it calls Volcengine Ark endpoints and requires a DOUBAO_API_KEY. Before installing: (1) ensure you are comfortable providing a dedicated Ark API key (prefer least-privilege, revokeable key) and that the key is stored securely; (2) confirm the registry metadata is corrected so the required env var is visible (the current bundle claims no required env vars but the script fails without DOUBAO_API_KEY); (3) review the GitHub source (homepage) to ensure no differences from the provided files; (4) be aware the skill can download generated videos to any path you specify — do not pass sensitive system paths; (5) if you need stronger assurance, ask the maintainer to sign/release the package or to explain why registry metadata omitted the API key requirement. If these checks look good, the skill is proportionate to its purpose.Like a lobster shell, security has layers — review code before you run it.
latestvk97cbxqay8fh805x7qdfextxw9841gxw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspython3