Jimeng Video Generator
v2.0.0即梦AI视频生成工具(带声音版本),通过火山引擎API自动生成带音频的高质量视频。支持文生视频、图生视频,适用于短视频内容创作。
⭐ 3· 1.7k·16 current·16 all-time
byBuck@tel18610240060-collab
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (calling VolcEngine/火山引擎 to generate videos with audio) legitimately requires API credentials. However, the registry metadata declares no required env vars or primary credential, while SKILL.md instructs the user to create a credential file with VOLCENGINE_ACCESS_KEY_ID and VOLCENGINE_SECRET_ACCESS_KEY. The mismatch is unexplained and therefore concerning.
Instruction Scope
SKILL.md contains concrete curl examples that send data to https://ark.cn-beijing.volces.com (expected for VolcEngine). But instructions reference writing credentials to ~/.openclaw/.credentials/volcengine-dreamina.env and using an Authorization header with ${API_KEY} — the variable names and usage are inconsistent. README and SKILL.md also show CLI commands (jimeng-video generate) and a local binary path (~/.openclaw/skills/jimeng-video/jimeng-video) despite there being no install spec or binary in the package. These gaps create ambiguity about what will run and which secrets are used.
Install Mechanism
There is no install spec and no bundled code — this reduces immediate code-execution risk. However README claims '已自动安装,无需额外操作' and shows a local CLI path, which conflicts with the absence of an installer or binaries. That discrepancy is a usability/traceability concern (unknown origin).
Credentials
Requesting VolcEngine API keys is proportionate to the stated purpose, but the skill metadata lists no required env vars while SKILL.md tells users to place VOLCENGINE_ACCESS_KEY_ID and VOLCENGINE_SECRET_ACCESS_KEY in a credentials file. Additionally examples use an ${API_KEY} header placeholder that is not explained — this inconsistent handling of secrets increases risk of misconfiguration or accidental exposure. The skill does not declare these in registry metadata, so automatic permission checks may be bypassed.
Persistence & Privilege
The skill does not request 'always: true', does not declare system-wide config changes, and only references storing credentials in a per-user ~/.openclaw path — which is expected for a service integration. It does not request elevated or persistent platform privileges in the manifest.
What to consider before installing
This skill appears to be a VolcEngine (火山引擎) video-generation helper and therefore will need VolcEngine API keys, but the package metadata omitted those requirements and contains inconsistent examples. Before installing: 1) Ask the publisher for the skill's source/homepage and a verified install mechanism or binary — avoid running an untracked CLI. 2) Confirm exactly which environment variables are required (VOLCENGINE_ACCESS_KEY_ID / VOLCENGINE_SECRET_ACCESS_KEY vs API_KEY) and how they are used in requests. 3) Only provide API keys scoped to the minimum permissions needed and do not reuse high-privilege keys. 4) Store credentials with strict file permissions (600) and verify the endpoint (ark.cn-beijing.volces.com) is the expected VolcEngine host. 5) If you cannot verify origin or the install process, prefer not to install; ask the author to update the manifest to declare required env vars and provide a reproducible install step.Like a lobster shell, security has layers — review code before you run it.
aivk971rw45tjaf28xjprw9q53hvx820116audiovk971rw45tjaf28xjprw9q53hvx820116jimengvk971rw45tjaf28xjprw9q53hvx820116latestvk971rw45tjaf28xjprw9q53hvx820116short-videovk971rw45tjaf28xjprw9q53hvx820116videovk971rw45tjaf28xjprw9q53hvx820116volcenginevk971rw45tjaf28xjprw9q53hvx820116
License
MIT-0
Free to use, modify, and redistribute. No attribution required.