Sora Video Generation
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using this skill can consume OpenAI account quota or incur charges under the supplied API key.
The skill uses the user's OpenAI credential to create and download videos. This is purpose-aligned, but it grants account/billing authority and is not reflected in the registry credential declarations.
Set `OPENAI_API_KEY` environment variable or pass `--api-key`.
Use a dedicated or scoped OpenAI API key where possible, prefer the environment variable over passing the key on the command line, and monitor usage.
Private prompts or reference images may leave the local environment and be processed by OpenAI.
The script sends the user prompt and, when provided, a reference image file to OpenAI's video API. This is the expected data flow for the stated function, but users should treat prompts and images as shared with the provider.
video = client.videos.create(prompt=args.prompt, model=args.model, seconds=args.seconds, size=args.size, input_reference=image_file)
Avoid submitting confidential or sensitive images/prompts unless your OpenAI account and data-handling policy allow it.
The packages installed or used by uv may change over time, which can affect reproducibility and dependency risk.
The helper script declares runtime dependencies with lower-bound version ranges rather than exact pins or a lockfile. This is not suspicious by itself, but it means future dependency resolution may vary.
# dependencies = [ # "openai>=1.0.0", # "httpx>=0.25.0", # "pillow>=10.0.0", # ]
For controlled environments, pin or lock dependency versions and install packages from trusted sources.