Sora Video Generation
PassAudited by ClawScan on May 1, 2026.
Overview
This skill coherently generates Sora videos through OpenAI, but users should notice that it uses an OpenAI API key, sends prompts or reference images to OpenAI, and resolves Python dependencies at runtime.
This appears safe to install for OpenAI Sora video generation. Before using it, provide an OpenAI API key carefully, avoid sensitive prompts or reference images unless permitted, choose output paths intentionally, and consider pinned dependencies if you need reproducible installs.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using this skill can consume OpenAI account quota or incur charges under the supplied API key.
The skill uses the user's OpenAI credential to create and download videos. This is purpose-aligned, but it grants account/billing authority and is not reflected in the registry credential declarations.
Set `OPENAI_API_KEY` environment variable or pass `--api-key`.
Use a dedicated or scoped OpenAI API key where possible, prefer the environment variable over passing the key on the command line, and monitor usage.
Private prompts or reference images may leave the local environment and be processed by OpenAI.
The script sends the user prompt and, when provided, a reference image file to OpenAI's video API. This is the expected data flow for the stated function, but users should treat prompts and images as shared with the provider.
video = client.videos.create(prompt=args.prompt, model=args.model, seconds=args.seconds, size=args.size, input_reference=image_file)
Avoid submitting confidential or sensitive images/prompts unless your OpenAI account and data-handling policy allow it.
The packages installed or used by uv may change over time, which can affect reproducibility and dependency risk.
The helper script declares runtime dependencies with lower-bound version ranges rather than exact pins or a lockfile. This is not suspicious by itself, but it means future dependency resolution may vary.
# dependencies = [ # "openai>=1.0.0", # "httpx>=0.25.0", # "pillow>=10.0.0", # ]
For controlled environments, pin or lock dependency versions and install packages from trusted sources.