Sora Video

What to consider before installing: - The skill is coherent with its purpose (Sora video generation) and legitimately requires an OpenAI API key; expect your videos and any reference files you upload to be sent to OpenAI's API. Only supply media you are comfortable sharing. - Do NOT run arbitrary curl | sh installers without review. SKILL.md suggests running a remote installer (astral.sh) to get 'uv'. Prefer installing uv via a trusted package manager or inspect the install script before executing it. Running an unreviewed remote install elevates risk. - Confirm the registry metadata is updated to list OPENAI_API_KEY as a required env var. The current mismatch is a red flag about maintenance quality. - Limit the API key's exposure: use a key tied to a billing account you control; enable usage limits if possible and monitor billing for unexpected usage, since video generation can be costly. - If you need stronger assurance, ask the publisher for: source code repo/homepage, checksum or signed release for the CLI, and an explanation why there is no install spec in the registry. Running the CLI in an isolated environment (non-root container or ephemeral VM) until you vet it is recommended. - If you plan to upload sensitive assets, verify that the guardrails (no real people, no copyrighted music/characters) match your requirements and consider pre-processing or anonymizing inputs. What would change this assessment: presence of an official homepage or code repository, a registry install spec that uses vetted package sources (instead of recommending curl|sh), and corrected metadata explicitly listing OPENAI_API_KEY would move this toward 'benign'. Conversely, evidence of hidden endpoints, telemetry, or requests for unrelated credentials would increase suspicion.