可灵视频生成
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may not see the API key and local tool requirements in the registry metadata before opening the skill details.
The registry permission/dependency contract does not advertise the credential and tools that the SKILL.md/script require. This is a visibility issue, not evidence of hidden installation or malicious code.
Required binaries (all must exist): none ... Required env vars: none ... Primary credential: none
Declare HSAI_API_KEY, curl, and python3 in metadata so users can review requirements before use.
The key may authorize video generation, account usage, or billing with the provider.
The script requires HSAI_API_KEY and sends it as a bearer token to the configured API. This is expected for a video-generation provider, but it is still delegated account authority.
if [[ -z "${HSAI_API_KEY:-}" ]]; then ... AUTH="Authorization: Bearer $API_KEY"Use a dedicated, revocable API key with the minimum needed access and avoid exposing it in shared shells or logs.
Private prompts, image references, or video references may leave the local environment and be processed by the external service.
The script posts the JSON request body, including the prompt and optional image/video URL or base64 references, to an external API gateway. This data flow is purpose-aligned but should be understood.
BASE_URL="${HSAI_BASE_URL:-https://api-aigw.corp.hongsong.club}" ... -X POST "${BASE_URL}${KLING_API_PATH}" ... -d "$JSON_BODY"Only submit media and prompts you are allowed to share with the configured provider, and confirm HSAI_BASE_URL is set to the intended endpoint.
If an existing or important file is chosen as the output path, it could be overwritten or deleted during a failed download.
The script downloads to the user-selected output path and removes that path on download failure, without first checking whether the file already existed.
DL_CODE=$(curl -s -o "$OUTPUT" -w "%{http_code}" -L "$VIDEO_URL") ... rm -f "$OUTPUT"Use a new, non-critical output filename; the script should ideally refuse to overwrite existing files or download to a temporary file before replacing the final output.