manga-animation
Security checks across malware telemetry and agentic risk
Overview
This is a coherent manga/animation generation workflow that clearly uses Volcengine Ark APIs and local output files, with user checkpoints before costly generation steps.
Install dependencies in a virtual environment, configure ARK_API_KEY as an environment variable rather than editing it into the script, review the storyboard/reference-image paths and shot count before approving API generation, and avoid using private content you do not want sent to the provider.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Ark key may be used for paid image/video generation; hardcoding it in scripts can leave the secret on disk.
The skill needs a provider API key and suggests optional hardcoding. This is expected for Ark API access, but it gives the scripts authority to use the user's provider account and quota.
**只需一个 Key**:`ARK_API_KEY`(方舟平台统一鉴权) ... export ARK_API_KEY="your_key_here" ... 或在脚本顶部直接填写 ARK_API_KEY = "..."
Use the environment variable method, avoid committing or sharing modified scripts containing the key, and set provider-side quotas if available.
Batch generation can create many files and consume API quota, especially for long storyboards.
The workflow runs local Python commands that make batch API calls and generate/update project files. The artifacts also require user confirmation before these API-consuming stages.
确认 Prompt 准确描述了目标形象后进阶段4(开始消耗 API 额度) ... python call_image_api.py storyboard ... python call_video_api.py batch
Review the storyboard, shot count, output directory, and expected cost before approving stages 4 and 5.
Installing unpinned packages may pull newer or unexpected versions in the future.
The dependency installation is manual and unpinned. This is purpose-aligned, but package versions and provenance are left to the user's environment.
pip install 'volcengine-python-sdk[ark]' requests
Install from a trusted package index, consider pinning known-good versions in a virtual environment, and review package provenance.
Reference images and prompts used for video generation leave the local machine and are sent to the external provider.
For video generation, the script base64-encodes local reference images and sends them to the Ark provider along with prompts. This matches the purpose but is a data boundary users should notice.
image_url = image_to_data_uri(image_path) ... client.content_generation.tasks.create(... "type": "image_url", "image_url": {"url": image_url})Do not use private images or sensitive prompt text unless you are comfortable sending them to the provider; review reference_image paths before running video generation.