ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shinewilzhang Video Generate

v1.0.0

使用 video_generate.py 脚本生成视频,需要提供文件名和 prompt,可选提供首帧图片(URL或本地路径)。

0· 117·1 current·1 all-time
by@shinewilzhang

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for shinewilzhang/shinewilzhang-video-generate.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Shinewilzhang Video Generate" (shinewilzhang/shinewilzhang-video-generate) from ClawHub.
Skill page: https://clawhub.ai/shinewilzhang/shinewilzhang-video-generate
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install shinewilzhang-video-generate

ClawHub CLI

Package manager switcher

npx clawhub@latest install shinewilzhang-video-generate
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description match the code (a script that calls the Ark content-generation API and downloads the result). However the registry metadata declared no required environment variables or credentials while both SKILL.md and the script expect an Ark-style API key (MODEL_VIDEO_API_KEY or ARK_API_KEY). The omission in the manifest is inconsistent.
!
Instruction Scope
SKILL.md claims the skill will fall back to VOLCENGINE_ACCESS_KEY/VOLCENGINE_SECRET_KEY to obtain an Ark API key, but the script does not implement that fallback (it only checks MODEL_VIDEO_API_KEY or ARK_API_KEY). The script will read local image files (if provided) and convert them to base64, then include that data in the request to the external Ark API — i.e., local file contents may be transmitted to a third party. SKILL.md documents the first-frame behavior, but the false claim about VOLCENGINE keys and the unadvertised transmission of local files are scope mismatches that matter for privacy.
Install Mechanism
There is no install spec. The script imports volcenginesdkarkruntime.Ark, but the skill provides no instructions or dependencies list (e.g., pip install) to ensure that SDK is present. That omission is a usability/security gap (missing explicit dependency installation), but there is no external download or installer in the manifest.
!
Credentials
The registry metadata lists no required env vars, but both SKILL.md and the code require an API key via MODEL_VIDEO_API_KEY or ARK_API_KEY. SKILL.md further claims a VOLCENGINE_* fallback which the code does not perform. The skill therefore asks for credentials in practice (API key used to contact Ark) without declaring them up front. Also, providing a local image causes the script to read and send file contents to the external API — this is expected for image-driven generation but should be highlighted as sensitive data exposure.
Persistence & Privilege
The skill does not request permanent/always-on inclusion, does not modify other skills or system configs, and does not persist credentials itself. Normal autonomous invocation is allowed but not combined with other elevated privileges.
What to consider before installing
This skill likely does what it says (calls an Ark content-generation API and downloads a video), but there are several practical and privacy issues to consider before installing or running it: - Credentials: The manifest omitted required env vars. You must set MODEL_VIDEO_API_KEY or ARK_API_KEY for the script to work. Do not provide sensitive production credentials if you are unsure where requests are sent. - Dependency: The script imports volcenginesdkarkruntime but gives no install steps. Ensure you install the correct SDK (preferably from a trusted source) in an isolated environment before running. - Local files may be uploaded: If you pass a local image path as the first_frame argument, the script base64-encodes the file and sends it to the Ark API. Do not use private images or sensitive files unless you understand the provider's data handling and privacy policy. - Documentation mismatch: SKILL.md claims a VOLCENGINE_* fallback to obtain an Ark API key, but the code does not implement that. Ask the author to clarify or update the docs. Recommendations: run this in a sandbox/VM, review and pin the Ark SDK package before installing, set a throwaway API key or account for testing, avoid passing local files containing sensitive data, and request that the skill manifest be updated to declare required env vars and dependency installation steps. If you require stronger assurance, ask the publisher to explain the VOLCENGINE fallback and to provide a reproducible install/run guide.

Like a lobster shell, security has layers — review code before you run it.

latestvk97794zb4z4ha8y0awst0pv64x83yrxn
117downloads
0stars
1versions
Updated 4w ago
v1.0.0
MIT-0
@shinewilzhang
latest
Download

Video Generate

适用场景

当需要根据文本描述生成视频时,使用该技能。支持通过首帧图片控制视频起始画面,首帧可以是 URL 或本地文件路径。

使用步骤

  1. 准备目标文件名(如 output.mp4)和清晰具体的 prompt
  2. (可选) 准备首帧图片,可以是 HTTP URL,也可以是本地文件路径(脚本会自动转为 Base64)。
  3. 运行脚本 python scripts/video_generate.py <filename> "<prompt>" [first_frame]。运行之前cd到对应的目录。
  4. 脚本将输出视频的 TOS URL 并自动下载到指定文件。

认证与凭据来源

  • 优先读取 MODEL_VIDEO_API_KEYARK_API_KEY 环境变量。
  • 若未配置,将尝试使用 VOLCENGINE_ACCESS_KEYVOLCENGINE_SECRET_KEY 获取 Ark API Key。

输出格式

  • 控制台输出生成的视频 URL。
  • 视频文件将被下载到指定路径。

示例

纯文本生成:

python scripts/video_generate.py "cat.mp4" "一只可爱的猫"

带首帧图片生成(URL):

python scripts/video_generate.py "dog_run.mp4" "一只小狗在草地上奔跑" "https://example.com/dog_start.png"

带首帧图片生成(本地文件):

python scripts/video_generate.py "my_video.mp4" "图片中的人物动起来" "/path/to/local/image.jpg"

Comments

Loading comments...