AIPing Media
v1.2.0AIPing 媒体生成技能,支持图片生成和视频生成。生成后自动下载到本地,优先通过飞书发送原生图片/视频消息,CDN 链接作为备选。当用户要求生成图片、生成视频、图片生成、视频制作、AI绘图、文生图、文生视频时自动触发。
⭐ 0· 99·0 current·0 all-time
by0x4C33@haoruilee
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
The skill name/description (AIPing media generation + send via Feishu) matches the required environment variables (AIPING_API_KEY, FEISHU_APP_ID, FEISHU_APP_SECRET) and the included scripts call AIPing and Feishu endpoints. No unrelated credentials or binaries are requested.
Instruction Scope
SKILL.md instructs setting env vars in ~/.openclaw/openclaw.json and restarting the gateway so the skill can read them — this is expected for a skill that needs API keys. The sample shell/python snippets read the local openclaw config (user-facing setup steps). The runtime scripts themselves read secrets from environment variables only and restrict local file reads to /tmp/. Minor issues: a sample shell snippet that reads the JSON path is somewhat awkward but not malicious.
Install Mechanism
No install spec; this is an instruction-only skill with included Python scripts. No downloads from untrusted URLs or archive extraction. The skill will run the provided scripts from the workspace.
Credentials
Requested environment variables are proportional and required for functionality: AIPING_API_KEY for the AIPing API, FEISHU_APP_ID/FEISHU_APP_SECRET for obtaining Feishu tenant token and uploading messages. No extra or unrelated secrets are requested.
Persistence & Privilege
always is false and the skill does not request permanent platform-wide privileges. It asks the user to store three env vars in the OpenClaw config (expected for API keys). The skill does not modify other skills' configs or system-wide settings beyond advising a gateway restart to pick up env changes.
Assessment
This skill appears to do what it says: it calls https://aiping.cn to generate media, downloads generated files into /tmp/, and uploads them to Feishu using the provided FEISHU_APP_ID/FEISHU_APP_SECRET. Before installing: 1) Only provide AIPING_API_KEY and Feishu app credentials you trust — these keys give the skill the ability to create media and send messages from the configured Feishu app. 2) Review the Feishu app permissions (im:resource and messaging scopes) and ensure the app is configured for the desired recipient scope. 3) Keep the keys secret in ~/.openclaw/openclaw.json and consider testing in an isolated environment first (the scripts download content to /tmp/ and will upload whatever is there). 4) Note a minor coding issue: send_feishu.py has a small typo in env lookup (FEESHU_APP_SECRET) but it falls back to the module-level variable; this looks like sloppy coding rather than malicious behavior. 5) If you need stricter controls, avoid storing credentials in global config and instead inject them at runtime or use scoped credentials. If you want me to, I can point out exact lines for the env-lookup typo and suggest small fixes to harden the scripts.Like a lobster shell, security has layers — review code before you run it.
latestvk97fbdhd0y1e4e15awfsmy4zrh84p3jg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
EnvAIPING_API_KEY, FEISHU_APP_ID, FEISHU_APP_SECRET
Primary envAIPING_API_KEY