ClawHub

Sora Video Generation

PassAudited by ClawScan on May 1, 2026.

Overview

The skill appears to do what it claims—generate Sora videos—but users should notice it needs an OpenAI API key, sends prompts/images to OpenAI, and relies on uv-resolved Python dependencies.

This skill is reasonable to use if you intend to generate videos through OpenAI Sora. Before installing or running it, make sure you are comfortable providing an OpenAI API key, potentially incurring API costs, sending any prompts or reference images to OpenAI, and resolving the listed Python dependencies through uv.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note
ASI03: Identity and Privilege Abuse
What this means

Using the skill can consume OpenAI account credits or quota, and passing an API key on the command line may expose it through shell history or process listings.

Why it was flagged

The script accepts an OpenAI API key and also reads OPENAI_API_KEY. This is expected for Sora generation, but it gives the skill delegated access to the user's OpenAI account and potential billing usage.

Skill content
parser.add_argument(
        "--api-key", "-k",
        help="OpenAI API key (overrides OPENAI_API_KEY env var)"
    )
Recommendation

Use a limited OpenAI API key where possible, prefer a secure environment or credential mechanism over passing --api-key directly, and verify expected billing/quota impact before generating videos.

Note
ASI07: Insecure Inter-Agent Communication
What this means

Private or sensitive prompts and reference images may be transmitted to OpenAI as part of video generation.

Why it was flagged

The skill sends the user's prompt and, when provided, a resized reference image to OpenAI's video API. This is the core function of the skill and is disclosed, but users should recognize that local image content leaves their environment.

Skill content
video = client.videos.create(
                        prompt=args.prompt,
                        model=args.model,
                        seconds=args.seconds,
                        size=args.size,
                        input_reference=image_file,
                    )
Recommendation

Avoid using confidential images or sensitive prompt content unless you are comfortable sending them to OpenAI under your account and applicable data-handling terms.

Note
ASI04: Agentic Supply Chain Vulnerabilities
What this means

Dependency versions may vary over time, which can affect behavior or expose users to package supply-chain risk if the environment resolves unexpected versions.

Why it was flagged

The helper script declares runtime dependencies using lower-bound version ranges. With the documented uv run workflow, these packages may be resolved at use time rather than from a pinned lockfile.

Skill content
# dependencies = [
#     "openai>=1.0.0",
#     "httpx>=0.25.0",
#     "pillow>=10.0.0",
# ]
Recommendation

Run in an isolated environment and consider pinning or locking dependency versions if reproducibility or stricter supply-chain control is important.