ClawHub

IMA Seedance2.0 Video Generator

v1.0.3

Seedance 2.0 AI video generator — two models in one skill: Seedance 2.0 (ima-pro) for cinema-grade quality with high frame-rate temporal consistency, precise...

1· 87·0 current·0 all-time
by@allenfancy-gan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Seedance 2.0 video generation) align with requested binaries (python3, ffmpeg, ffprobe), the single required env var (IMA_API_KEY), and the included Python scripts for task creation, uploads, and compliance. The included APP_ID/APP_KEY are used for upload signing and are documented as non-secret in SECURITY.md.
Instruction Scope
Runtime instructions require calling scripts/ima_video_create.py and the shipped scripts perform media validation, optional remote-URL probing, local-file uploads to the declared upload service (imapi.liveme.com), compliance verification prompts, and polling of api.imastudio.com. These actions are within the declared scope but the skill will (a) send your IMA_API_KEY to the upload host for local/non-HTTPS uploads and (b) may fetch user-supplied remote media URLs for validation. The skill respects interactive consent but supports non-interactive auto-consent via IMA_AUTO_CONSENT.
Install Mechanism
No install spec (instruction-only) and only a simple requirements.txt (requests>=2.25.0). No arbitrary downloads or archive extraction are present in the package metadata. This is low-risk from an install mechanism perspective.
Credentials
Only one required credential (IMA_API_KEY) is requested and it is justified by the skill's remote APIs. Optional env vars (IMA_DEBUG, IMA_AUTO_CONSENT, IMA_STDOUT_MODE) are documented. The code does not request unrelated cloud credentials or system secrets. Note: the IMA API key is sent to both api.imastudio.com and imapi.liveme.com (documented) — use a scoped/test key if you are concerned.
Persistence & Privilege
Persistence is limited to ~ /.openclaw/memory/ima_prefs.json and ~/.openclaw/logs/ima_skills/ (declared). always:false (not force-installed). The skill can run autonomously by default (platform default) and will use the provided IMA_API_KEY during autonomous calls — if you allow autonomous invocation, that key can be used without interactive prompts unless the skill encounters compliance checks (which may require consent or IMA_AUTO_CONSENT).
Scan Findings in Context
[external-network-calls] expected: The skill legitimately calls api.imastudio.com for task orchestration and imapi.liveme.com for upload-token/upload flows; these endpoints are documented in SECURITY.md and in-code constants.
[hardcoded-upload-signing-key] expected: APP_ID/APP_KEY values are present in scripts/ima_constants.py and documented as 'NOT a secret' used for request signing to the upload API. Presence is noisy but intentionally documented; it does not replace the required IMA_API_KEY.
Assessment
This package appears coherent for its stated purpose. Before installing, consider: (1) Use a scoped/test IMA_API_KEY (not a broad-production key) during initial testing because the key will be sent to the declared upload host (imapi.liveme.com) for local/non-HTTPS uploads. (2) If you run the skill non-interactively, IMA_AUTO_CONSENT can bypass compliance prompts — avoid setting it unless intentional. (3) The skill writes logs and prefs under ~/.openclaw; inspect or sandbox if you want to prevent local files being created. (4) Review SECURITY.md and the upload/verification code if you handle sensitive media (PII) because local media may be uploaded to the provider's storage/CDN. (5) If you want stricter control, run the scripts in a constrained environment (container/VM) and revoke or scope the API key after testing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fk6mjqmc6qcrdeqynnwqm7184320v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3, ffmpeg, ffprobe
EnvIMA_API_KEY
Primary envIMA_API_KEY
Environment variables
IMA_API_KEYrequiredPrimary IMA credential used for product list, task creation, task polling, compliance verification, and upload-token calls.
IMA_STDOUT_MODEoptionalOptional stdout mode toggle for event-stream integrations. Supported values are events, mixed, and auto.
IMA_AUTO_CONSENToptionalOptional non-interactive flag to auto-approve asset compliance verification prompts.
IMA_DEBUGoptionalOptional debug flag that enables verbose logging for troubleshooting.

Dependencies

requestspip >=2.25.0

Comments