ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sora2 Video

Sora2 文生视频:通过天树代理提交生成任务并轮询结果。Use when: 用户指定 sora_video2、sora-2-pro 等模型生成短视频。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 17 · 0 current installs · 0 all-time installs
bytianshu@wangshengli0421
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, declared primaryEnv (TS_TOKEN), and required env (AIZNT_PROXY_URLS) match the code and SKILL.md: the scripts POST to a v2_videos_generations URL and GET a v2_videos_generations_fetch URL. No unrelated credentials, binaries, or services are requested.
Instruction Scope
Runtime instructions and scripts only perform: load TS_TOKEN and AIZNT_PROXY_URLS from env, POST a JSON body to the proxy submit URL, and GET the fetch URL. The script can read a local file when --body-file is used (expected for user-provided request bodies) — be careful not to point it at files containing secrets. All external network traffic goes to URLs supplied in AIZNT_PROXY_URLS (intended by design).
Install Mechanism
Instruction-only install (no external downloads). Bundled Node scripts use built-in fetch and no npm dependencies. Nothing is fetched from third-party URLs during install.
Credentials
Only TS_TOKEN (primary credential) and AIZNT_PROXY_URLS are required — proportionate to a proxy-based API client. However, TS_TOKEN is sent as a Bearer token to the endpoints defined in AIZNT_PROXY_URLS; if those URLs are attacker-controlled, the token (and any request body) could be exposed. Ensure AIZNT_PROXY_URLS contains only trusted proxy endpoints.
Persistence & Privilege
always is false, the skill doesn't request persistent system-wide changes or modify other skills' configs. It runs on-demand and only uses its declared env vars.
Assessment
This skill is coherent for submitting and polling Sora2 video-generation jobs. Before installing: (1) ensure TS_TOKEN is a legitimate ts_ token and rotate it if you suspect exposure; (2) verify the entries in AIZNT_PROXY_URLS are trusted proxy endpoints (the skill will send your TS_TOKEN and request bodies to those URLs); (3) avoid pointing --body-file at local files containing secrets; and (4) run initial tests in a controlled environment to confirm endpoints behave as expected.
scripts/client.js:3
Environment variable access combined with network send.
!
scripts/sora2.js:48
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97erq4kwkczg8zttggdjkd2jx83avfssoravk97erq4kwkczg8zttggdjkd2jx83avfstianshuvk97erq4kwkczg8zttggdjkd2jx83avfsvideovk97erq4kwkczg8zttggdjkd2jx83avfs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvAIZNT_PROXY_URLS
Primary envTS_TOKEN

SKILL.md

Sora2 视频 (aiznt-sora2)

本技能在 TsClaw / OpenClaw 技能目录下提供两个 Node 入口:submit 创建异步任务,fetch 按任务 ID 查询状态与产物。所有请求经天树下发的代理 URL 转发,需使用与天树对话一致的 Bearer 凭证。

前置条件

  1. TsClaw 已登录天树账号,并在 Skills 页对本技能执行「同步天树凭证」或手动保存配置。
  2. 环境变量(由应用写入 skills.entries,执行时映射为进程环境):
    • TS_TOKEN:天树 ts_ 前缀的对话令牌。
    • AIZNT_PROXY_URLS:JSON 对象字符串,至少包含本技能用到的两个键(见下文)。键名需与后端 getAizntProxyByTokenUrls 返回字段一致。

代理 URL 键

键名用途
v2_videos_generationsPOST,提交文生视频请求体(prompt、model 等)
v2_videos_generations_fetchGET,查询任务;模板中可含 {task_id},脚本会替换为实际 ID

若 URL 模板含 {task_id}不要手写死任务号;先 submit 取回 ID,再传给 fetch

命令示例

在项目根或技能目录下(保证 node 能加载 scripts/):

# 1. 提交任务(body 为上游要求的 JSON,示例字段仅供参考,以实际模型文档为准)
node scripts/sora2.js submit --body '{"prompt":"A coffee cup on a wooden table, slow pan","model":"sora_video2"}'

# 2. 假设上一步返回中包含任务 id(字段名依上游封装可能为 id / task_id),查询进度
node scripts/sora2.js fetch --task-id <上一步任务ID>

submit 成功返回的 JSON 结构取决于天树网关与上游封装;若只看到嵌套在 data 内的字段,请以实际响应为准解析 task_id

常见错误

  • 401 / 缺少 TS_TOKEN:未同步凭证或 apiKey 过期,请在 TsClaw 重新同步或更新天树登录。
  • 缺少 AIZNT_PROXY_URLS 某键:凭证接口未返回对应代理路径,需后端配置齐 v2_videos_generationsv2_videos_generations_fetch
  • HTTP 4xx 于 submit:请求体字段名、模型名与上游不一致;对照当前可用的 Sora2 模型列表调整 modelprompt 约束。

与 TsClaw 的对应关系

  • Skills 配置里 apiKey 对应环境变量 TS_TOKENprimaryEnv: TS_TOKEN)。
  • env.AIZNT_PROXY_URLS 为整段 JSON 字符串;本技能运行时只需上述两个键的非空值。

维护说明

脚本使用 Node 18+ 全局 fetch,无额外 npm 依赖。修改代理行为时请同步更新 scripts/client.js 中的 loadClient / fetchJson 与本文档中的 URL 键表。

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…