uni-vision-engine
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill matches its video-generation purpose, but it embeds a default session token and automatically installs an npm package at runtime, so it needs careful review before use.
Install only if you are comfortable with this skill running local shell commands, handling images you send in chat, connecting to a local Jimeng API service, and potentially spending account credits. Before use, remove the embedded session token, require your own declared credential, and replace the automatic runtime npm install with a pinned, reviewed dependency installation.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may use a preloaded account session and spend credits or act under an account identity that the user did not explicitly configure.
The script includes a default cached authentication session and later sends it as a Bearer token, so the skill can use account authority even when the user does not provide their own session.
let sessionToken = "b79fc...39978"; // 默认缓存的认证 session
Remove the embedded session token, require the user to provide their own credential through a declared secure mechanism, and clearly document credit-spending behavior.
Running the skill can unexpectedly fetch and execute package-install behavior from npm on the user's machine.
If the dependency is missing, the script automatically runs a shell-based npm install during execution, downloading unpinned code outside the declared install process.
const { execSync } = require('child_process');
execSync('npm install form-data --no-save', { stdio: 'ignore' });Move dependency installation into a reviewed install spec, pin package versions with a lockfile, and avoid runtime npm installs.
When invoked, the agent has broad local shell capability rather than only a narrowly limited video-generation action.
The skill grants broad Bash access. This is used for the stated local video-generation workflow, but it is broader than a single scoped command.
allowed-tools: Bash(*)
Prefer limiting allowed commands to the specific script and required log-reading commands, or ask for user confirmation before shell actions.
Images provided in chat may be saved locally and submitted to the local Jimeng service and its generation/moderation flow.
The skill is designed to extract user-sent images and send them into the video-generation pipeline. That is purpose-aligned, but it is sensitive media handling.
automatically intercept clothing/character images sent by the user in the chat interface and seamlessly pass them to the generation model
Use only with images the user intends to process, disclose the upload/moderation behavior, and clean up temporary image files after generation.