Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AI Video Gen
v1.0.0AI视频生成与编辑,使用火山引擎 Doubao Seedance 模型。支持文生视频、图生视频、有声视频。当用户要求生成视频、制作视频、文生视频、图生视频时使用此 skill。
⭐ 3· 1.4k·11 current·11 all-time
byNick Qiu@qiujiahong
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the included script and documentation: the skill calls a Doubao/Volcengine video-generation API and implements text/image/audio→video flows. Required capabilities (API key, optional base URL) are consistent with that purpose.
Instruction Scope
SKILL.md instructs the agent to run scripts/generate_video.py and optionally upload a generated video to Feishu. The Feishu upload is presented as an example and would require separate Feishu app credentials (app_id/app_secret) which are not declared as required env vars; the script itself only performs video generation and download. The script will read any local file paths you pass (first-frame/reference-image) and upload them to the remote generation API as provided — be cautious about supplying sensitive local files.
Install Mechanism
No install spec — instruction-only with included Python script. This is low-risk; nothing in the skill downloads or installs code at runtime beyond normal Python execution. The script depends on httpx but installation steps are left to the environment.
Credentials
The docs declare VIDEO_GEN_API_KEY and VIDEO_GEN_BASE_URL, but the script contains a bug: BASE_URL is read using os.environ.get("VIDEO_GEN_API_KEY", default) instead of os.environ.get("VIDEO_GEN_BASE_URL", default). This is a coding mistake (not a secret-exfiltration pattern) but means the declared base-URL env var is ignored unless you modify the script. Aside from that, only the service API key is required; no unrelated credentials are requested by the code. The Feishu example requires app_id/app_secret, but those are not listed as required env vars — they're optional examples.
Persistence & Privilege
The skill does not request persistent or elevated platform privileges (always: false, no special config paths, does not modify other skills). It performs network calls to the declared API endpoint and saves downloaded video files to disk, which is expected for its purpose.
Assessment
This skill appears to do what it says (generate videos via Volcengine/Doubao) and contains only the expected network and file operations, but check a few things before installing or running it:
- Fix the BASE_URL bug: open scripts/generate_video.py and change the BASE_URL line from os.environ.get("VIDEO_GEN_API_KEY", ...) to os.environ.get("VIDEO_GEN_BASE_URL", "https://ark.cn-beijing.volces.com/api/v3"). Without that edit the intended VIDEO_GEN_BASE_URL env var will be ignored.
- Provide only a Volcengine API key you trust and avoid passing local file paths that contain sensitive data (the script will read any --first-frame or --reference-image file you supply and send it to the remote API).
- The README/SKILL.md include an example for uploading to Feishu; if you use that, you will need Feishu app_id/app_secret and will be uploading the generated video to a third-party cloud — verify you are comfortable sharing that content.
- The skill is from an unknown source (no homepage in registry metadata). If you plan to run it in a sensitive environment, review the repository or run in an isolated environment first.
If you want higher assurance, ask the author for an official source repository or sign-off, or run the script in a disposable container and inspect network traffic and code before using real API keys or sensitive input files.Like a lobster shell, security has layers — review code before you run it.
latestvk979mv2gd90v6cj8xge3hk950s82hhpm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.