AI Animation Studio
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears purpose-aligned for making AI animation videos, but users should verify its external media tools, API key use, and local resource folder before running it.
Before installing or running, confirm that doubao-media, edge-tts, ffmpeg, and the referenced local resource folder are trusted and correctly configured. Use a limited Doubao API key, monitor provider costs, and avoid using confidential stories, private images, or unrelated personal files in the resource directory.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill can execute local media-generation commands on the user's machine.
The skill invokes local subprocesses to run a dependent media-generation script; this is central to the stated animation purpose, but it means the user must trust the local Python environment and helper script.
cmd = ["python", self.doubao_script, "img", prompt, "--size", size]
Use it only after confirming the referenced helper script and Python environment are the expected trusted ones.
If the referenced doubao-media script is missing, outdated, or replaced, this skill's behavior depends on that external code.
The code depends on an external local skill/script at a hardcoded path rather than a bundled or pinned helper; this appears purpose-aligned but creates a dependency/provenance item the user should verify.
self.doubao_script = r"C:\\Users\\10954\\.openclaw\\workspace\\skills\\doubao-media\\scripts\\doubao_media.py"
Install trusted versions of doubao-media, edge-tts, ffmpeg, and any Python packages needed, and update hardcoded paths for the user's environment.
Generated prompts and media requests may use the user's Doubao API account and quota.
The skill requires a Doubao/Volcengine API key for media generation, while the registry metadata declares no primary credential or required env vars. The credential is expected for the stated service, but users should notice the account authority and possible costs.
- **ARK_API_KEY** - 豆包API密钥
Use a dedicated, least-privilege API key if possible, monitor usage/costs, and do not paste unrelated secrets into prompts.
Story text, generated prompts, and image references may be processed by the external media provider used by doubao-media.
The skill passes animation prompts and image URLs to another local media helper that likely talks to the Doubao provider. This is disclosed and purpose-aligned, but it is still an external/provider data flow.
cmd = ["python", self.doubao_script, "vid", animation_prompt, "--image", image_url, "--duration", str(duration), "--ratio", ratio]
Avoid confidential stories, private images, or regulated data unless the provider's privacy and retention terms are acceptable.
Files placed in the local resource library may shape generated content and may have their paths included in generated script outputs.
The resource indexer scans and loads storyboard/style/effect/audio resources from a fixed local directory, which is expected for a media asset library but means local files can influence generated prompts and exported scripts.
RESOURCE_DIR = r"D:\\AI视频资源"
Keep the resource folder curated and avoid storing unrelated private documents in the configured media-resource directory.