openlens-skill
v1.0.7Minimalist AI video generation portal offering prompt refinement, image-to-video conversion, local saving, streaming downloads, and both GUI and CLI access.
⭐ 0· 381·0 current·0 all-time
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The code (skill_main.py, cli.py, app.py, openlens-web/) implements T2I/T2V/I2V/V2V and a Streamlit GUI exactly as described; network calls and local saving behavior are coherent with the stated purpose. However, the repository includes a populated config.json containing API keys, which contradicts the SKILL.md guidance that users should put their own credentials into config.json and suggests the bundle was published with secrets embedded—this is not necessary for the stated purpose and is disproportionate.
Instruction Scope
SKILL.md instructs running the GUI/CLI and editing config.json for API credentials, which matches the code. But runtime files include actions beyond simple generation: a publish.sh that changes directories to an absolute user path and performs git push/clawhub publish, and GitHub Actions publish.yml. While these scripts are inert unless executed, they give the skill the capability to push code or trigger remote publication if run. The code itself reads/writes only local config.json and outputs/, but the included publish utilities and hard-coded config file expand scope unexpectedly.
Install Mechanism
There is no remote download or package-install step in the manifest; setup.sh uses standard venv + pip and requirements.txt. No extraction from arbitrary URLs or unusual install locations is present. This is a low-risk, typical local Python install mechanism.
Credentials
The skill declares no required environment variables, which is consistent, but the repository contains a config.json with populated API keys (video_api_key and text_api_key appear as bearer tokens). Bundling credentials inside the skill package is disproportionate and dangerous: it exposes secrets to anyone with the package and encourages reuse of embedded credentials. The tool_definition and code expect a user-supplied API key parameter, so embedding keys is unnecessary and inconsistent with least privilege.
Persistence & Privilege
The manifest does not request persistent or elevated privileges (always:false). The skill does not modify other skills or global configs. That said, included scripts (publish.sh and publish.yml) are able to push to GitHub / ClawHub when executed and publish.sh references an absolute workspace path (/Users/clawdbot/.openclaw/workspace/openlens-skill), which could cause accidental repository leakage if run in a different environment or by an automated process—this increases blast radius if a user executes the script without review.
What to consider before installing
Do not install or run this skill as-is. Key issues to address before use:
- Replace/remove the bundled config.json: it contains bearer-style API keys; treat them as compromised. If you find these keys are valid, rotate them immediately at the provider and do not reuse them.
- Inspect and do not execute publish.sh or any publishing automation unless you understand and intend to push this repository; publish.sh contains an absolute path and will attempt to push to GitHub/ClawHub.
- Before running, create your own config.json (or delete the included one), set your API endpoints/keys locally, and keep the file out of any public repo (.gitignore is referenced but verify). Use principle of least privilege for API keys.
- Run setup.sh only after reviewing it (it creates a venv and installs requirements — safe but confirm network/package choices). Run Streamlit/CLI in an isolated environment.
- If you want to install the skill into a shared agent, ensure the agent's environment does not use the embedded config.json and that keys are provided via secure agent config or parameterized invocation rather than included files.
Summary: functionality matches the description, but embedded secrets and publishing scripts are disproportionate and risky. Clean or remove those artifacts and rotate any possibly exposed keys before using.Like a lobster shell, security has layers — review code before you run it.
latest
OpenLens Skill
AI Video Generation Portal with Raw Transparency for OpenClaw.
Description
OpenLens is a minimalist AI video generation portal that serves as a raw transparency pass-through to your private video API. It bypasses content filtering restrictions and provides:
- Prompt Refinement: Use LLM to enhance prompts before video generation
- Image-to-Video: Upload images and convert to video
- Dual Mode: GUI (Streamlit) + CLI
- Local Save: Auto-download generated videos to configured local path
- Streaming Download: Robust large file downloads with progress bar
Features
- Pure pass-through: no content filtering, no safety middleware
- Manual API configuration via GUI or config.json
- OpenAI-style /v1/video/generations protocol support
- Auto-polling for async video generation
- HTML5 video player with download button
- 18+ age verification gate
- CLI support for automation
Installation
clawhub install openlens-skill
Usage
GUI Mode
streamlit run app.py
CLI Mode
# Basic video generation
python3 cli.py --prompt "A sunset over ocean"
# With prompt refinement
python3 cli.py -p "A sunset" --refine
# Image to video
python3 cli.py -p "Character walking" -i "https://example.com/image.jpg"
# Custom output path
python3 cli.py -p "video prompt" -o ./myvideo.mp4
Configuration
Edit config.json or use the GUI to set your API credentials:
{
"video_api_url": "YOUR_VIDEO_API_URL",
"video_api_key": "YOUR_VIDEO_API_KEY",
"text_api_url": "YOUR_TEXT_API_URL",
"text_api_key": "YOUR_TEXT_API_KEY",
"text_model": "gpt-4o",
"default_save_path": "./outputs"
}
CLI Options
| Flag | Description |
|---|---|
-p, --prompt | Video description (required) |
-i, --image_url | Image URL for I2V |
-o, --output | Output file path |
-r, --refine | Enable prompt refinement |
--resolution | 720p or 1080p |
--duration | 5, 10, or 15 seconds |
Requirements
- Python 3.8+
- streamlit >= 1.28.0
- requests >= 2.31.0
- tqdm >= 4.66.0
License
MIT
Author
OpenClaw Community
Comments
Loading comments...