WorkRally
v2.1.0WorkRally CLI (workrally) — 面向 AI Agent 的 AIGC 漫剧视频创作全流程工具集。 支持 AI 生图、AI 生视频、项目管理、资产库、媒资管理、无限画布、文件上传下载等。 Use when user asks to generate images, generate vide...
⭐ 1· 39·0 current·0 all-time
by腾讯开源@tencent-adm
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (WorkRally CLI for image/video/project/asset management) matches the declared binary, env vars (API key, endpoint, config dir, update-check flag), and the npm install target. Required binaries and env vars are what a CLI integrating with a hosted service would need.
Instruction Scope
SKILL.md instructs the agent to run the workrally CLI to list models, upload local files, create assets, and mutate canvases; these are appropriate for the stated purpose. Note: many commands read local files (uploads, --file nodes.json, etc.) and will transmit those files to the WorkRally service — this is expected but important to be aware of.
Install Mechanism
Install uses npm install -g workrally which is consistent with providing a 'workrally' binary. npm-based installs are a common, expected mechanism but carry the usual registry risk (package code runs on install). No suspicious external downloads or unusual install locations are declared.
Credentials
Requested env vars (WORKRALLY_API_KEY, WORKRALLY_ENDPOINT, WORKRALLY_CONFIG_DIR, WORKRALLY_NO_UPDATE_CHECK) tie to the CLI and platform usage. Primary credential is the API key — appropriate. The metadata documents where the API key may be persisted (~/.workrally/config.json) and the config-dir override; these are consistent with CLI behavior.
Persistence & Privilege
Skill is user-invocable and not always-enabled. It may cause the CLI to write an API key to the user's WorkRally config file (described in metadata) which is normal for a CLI. The skill does not request system-wide privileges or modify other skills' configs.
Assessment
This skill appears coherent for controlling the WorkRally CLI. Before installing: 1) Confirm the npm package publisher and version (npm install runs code on your machine). 2) Use an API key with least privilege and consider a short-lived key for agents. 3) Be aware the agent may read local files you point it at (uploads, nodes.json) and will transmit them to WorkRally endpoints — do not upload sensitive files. 4) If you prefer not to persist credentials in your home directory, set WORKRALLY_CONFIG_DIR to an ephemeral/controlled path. 5) If you need higher assurance, review the workrally package source on the registry or vendor site before global installation.Like a lobster shell, security has layers — review code before you run it.
latestvk97244yj4rm9zjhpr0zwzetctx84w9g5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
Binsworkrally
EnvWORKRALLY_API_KEY, WORKRALLY_ENDPOINT, WORKRALLY_CONFIG_DIR, WORKRALLY_NO_UPDATE_CHECK
Primary envWORKRALLY_API_KEY
Install
Install WorkRally CLI (npm)
Bins: workrally
npm i -g workrally