ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alicloud Ai Video Wan Video

Generate videos with Model Studio DashScope SDK using Wan i2v models (wan2.6-i2v-flash, wan2.6-i2v, wan2.6-i2v-us). Use when implementing or documenting vide...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 954 · 2 current installs · 2 all-time installs
by@cinience
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name, description, SKILL.md, and included scripts consistently implement video generation via the DashScope SDK and the listed Wan model names. The code uses the expected DashScope classes and model IDs, so the capability matches the stated purpose.
!
Instruction Scope
Runtime instructions and the scripts explicitly read .env files, attempt to load credentials from ~/.alibabacloud/credentials, and auto-upload local reference images via the SDK. These behaviors are reasonable for a video-generation skill but broaden the data the skill will read (local .env, profile-based credentials, and any local reference_image paths). The SKILL.md also directs saving task IDs, logs, and output files under an output directory. None of these steps appear malicious, but they do access local secrets/config and will cause network uploads of local files if those are supplied as reference images.
Install Mechanism
There is no install spec (instruction-only), and the SKILL.md recommends installing the dashscope Python package in a virtualenv. This is a low-risk, common pattern; no remote arbitrary archive downloads or unusual install steps are present.
!
Credentials
The registry metadata lists no required environment variables or primary credential, but the SKILL.md and scripts require DASHSCOPE_API_KEY (env or ~/.alibabacloud/credentials) and may honor ALIBABA_CLOUD_PROFILE/ALICLOUD_PROFILE. That mismatch (declared none vs runtime expectation) is a coherence issue: users must provide an API key for the service, and the skill will look in local credential files which can contain other secrets/profiles.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It only writes outputs and logs under project output directories it documents; it does not modify other skills or request permanent platform presence.
What to consider before installing
This skill appears to do what it says (generate videos via DashScope), but note two important points before installing: 1) The package metadata does not declare required credentials, yet the code and SKILL.md require DASHSCOPE_API_KEY (via env or ~/.alibabacloud/credentials). Expect to provide that API key and verify it is scoped appropriately. 2) The scripts automatically read .env files, ~/.alibabacloud/credentials, and may upload local reference_image files; avoid running these scripts in directories containing unrelated secrets or private files. Use a dedicated virtualenv, install dashscope from PyPI, inspect the dashscope package you install, and consider running the scripts on a machine/account that holds only the minimum privileges and keys needed for video generation.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.2
Download zip
latestvk97ekx6h62mstzyz70hybppm3n82qw7v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Category: provider

Model Studio Wan Video

Validation

mkdir -p output/alicloud-ai-video-wan-video
python -m py_compile skills/ai/video/alicloud-ai-video-wan-video/scripts/generate_video.py && echo "py_compile_ok" > output/alicloud-ai-video-wan-video/validate.txt

Pass criteria: command exits 0 and output/alicloud-ai-video-wan-video/validate.txt is generated.

Output And Evidence

  • Save task IDs, polling responses, and final video URLs to output/alicloud-ai-video-wan-video/.
  • Keep one end-to-end run log for troubleshooting.

Provide consistent video generation behavior for the video-agent pipeline by standardizing video.generate inputs/outputs and using DashScope SDK (Python) with the exact model name.

Critical model names

Use one of these exact model strings:

  • wan2.2-t2v-plus
  • wan2.2-t2v-flash
  • wan2.6-i2v-flash
  • wan2.6-i2v
  • wan2.6-i2v-us
  • wan2.6-t2v-us
  • wanx2.1-t2v-turbo

Prerequisites

  • Install SDK (recommended in a venv to avoid PEP 668 limits):
python3 -m venv .venv
. .venv/bin/activate
python -m pip install dashscope
  • Set DASHSCOPE_API_KEY in your environment, or add dashscope_api_key to ~/.alibabacloud/credentials (env takes precedence).

Normalized interface (video.generate)

Request

  • prompt (string, required)
  • negative_prompt (string, optional)
  • duration (number, required) seconds
  • fps (number, required)
  • size (string, required) e.g. 1280*720
  • seed (int, optional)
  • reference_image (string | bytes, optional for t2v, required for i2v family models)
  • motion_strength (number, optional)

Response

  • video_url (string)
  • duration (number)
  • fps (number)
  • seed (int)

Quick start (Python + DashScope SDK)

Video generation is usually asynchronous. Expect a task ID and poll until completion. Note: Wan i2v models require an input image; pure t2v models can omit reference_image.

import os
from dashscope import VideoSynthesis

# Prefer env var for auth: export DASHSCOPE_API_KEY=...
# Or use ~/.alibabacloud/credentials with dashscope_api_key under [default].

def generate_video(req: dict) -> dict:
    payload = {
        "model": req.get("model", "wan2.6-i2v-flash"),
        "prompt": req["prompt"],
        "negative_prompt": req.get("negative_prompt"),
        "duration": req.get("duration", 4),
        "fps": req.get("fps", 24),
        "size": req.get("size", "1280*720"),
        "seed": req.get("seed"),
        "motion_strength": req.get("motion_strength"),
        "api_key": os.getenv("DASHSCOPE_API_KEY"),
    }

    if req.get("reference_image"):
        # DashScope expects img_url for i2v models; local files are auto-uploaded.
        payload["img_url"] = req["reference_image"]

    response = VideoSynthesis.call(**payload)

    # Some SDK versions require polling for the final result.
    # If a task_id is returned, poll until status is SUCCEEDED.
    result = response.output.get("results", [None])[0]

    return {
        "video_url": None if not result else result.get("url"),
        "duration": response.output.get("duration"),
        "fps": response.output.get("fps"),
        "seed": response.output.get("seed"),
    }

Async handling (polling)

import os
from dashscope import VideoSynthesis

task = VideoSynthesis.async_call(
    model=req.get("model", "wan2.6-i2v-flash"),
    prompt=req["prompt"],
    img_url=req["reference_image"],
    duration=req.get("duration", 4),
    fps=req.get("fps", 24),
    size=req.get("size", "1280*720"),
    api_key=os.getenv("DASHSCOPE_API_KEY"),
)

final = VideoSynthesis.wait(task)
video_url = final.output.get("video_url")

Operational guidance

  • Video generation can take minutes; expose progress and allow cancel/retry.
  • Cache by (prompt, negative_prompt, duration, fps, size, seed, reference_image hash, motion_strength).
  • Store video assets in object storage and persist only URLs in metadata.
  • reference_image can be a URL or local path; the SDK auto-uploads local files.
  • If you get Field required: input.img_url, the reference image is missing or not mapped.

Size notes

  • Use WxH format (e.g. 1280*720).
  • Prefer common sizes; unsupported sizes can return 400.

Output location

  • Default output: output/alicloud-ai-video-wan-video/videos/
  • Override base dir with OUTPUT_DIR.

Anti-patterns

  • Do not invent model names or aliases; use official Wan i2v model IDs only.
  • Do not block the UI without progress updates.
  • Do not retry blindly on 4xx; handle validation failures explicitly.

Workflow

  1. Confirm user intent, region, identifiers, and whether the operation is read-only or mutating.
  2. Run one minimal read-only query first to verify connectivity and permissions.
  3. Execute the target operation with explicit parameters and bounded scope.
  4. Verify results and save output/evidence files.

References

  • See references/api_reference.md for DashScope SDK mapping and async handling notes.

  • Source list: references/sources.md

Files

6 total
Select a file
Select a file to preview.

Comments

Loading comments…