即梦AI视频生成

This skill appears to do what it claims (call Volcengine/Dreamina to generate videos with audio), but there are a few red flags you should verify before installing or providing credentials: - Packaging/documentation mismatches: the registry metadata claims no env vars while skill.yaml requires VOLCENGINE_ACCESS_KEY_ID and VOLCENGINE_SECRET_ACCESS_KEY; README says the binary is "already installed" but no install spec or binary is included. Ask the publisher to clarify how the skill is delivered and invoked. - Auth variable inconsistency: curl examples use Authorization: Bearer ${API_KEY} but the declared secrets are an access key ID and secret. Confirm how to derive the actual Authorization header and whether the skill needs a single API token or the two keys. - Credential scope: create and use a dedicated Volcengine API key with the minimum permissions (only the Dreamina/generation service) and make it revocable. Do not reuse high-privilege or long-lived account keys. - Network/domain sanity check: the examples call ark.cn-beijing.volces.com (Volcengine-like domain). Confirm this is the legitimate endpoint for your account/region before sending keys or content. - Operational caution: because this is instruction-only (no bundled code), risk of arbitrary code on disk is low, but the skill will cause network requests that could send prompt/content and your supplied media to the vendor. If you need to keep prompts or media private, review the vendor's data usage policy or test with non-sensitive content. If the publisher can resolve the env-var and install inconsistencies and you can limit the API key scope, the skill is reasonable to use. If they cannot explain these mismatches, treat the package as untrusted.