Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
volcengine-video-generate
v1.0.0Using volcengine video_generate.py script to generate video, need to provide filename and prompt, optional provide first frame image (URL or local path).
⭐ 0· 857·2 current·2 all-time
byvolcengine_skills@warm-wm
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The code (scripts/video_generate.py) implements text-to-video generation via the Ark SDK and downloads the produced video to the requested filename — this matches the skill name/description. Minor mismatch: SKILL.md claims a fallback to use VOLCENGINE_ACCESS_KEY/VOLCENGINE_SECRET_KEY to obtain an Ark API key, but the included script only reads MODEL_VIDEO_API_KEY or ARK_API_KEY; there is no implementation of the described fallback.
Instruction Scope
Instructions are narrowly scoped to running the script with filename, prompt, and optional first-frame image (URL or local path). They correctly describe local file reading (converted to base64) and downloading the generated video. However, SKILL.md documents credential fallback behavior that is not present in the script, which is an instruction/content mismatch.
Install Mechanism
No install spec — instruction-only with a single included Python script. Nothing is downloaded or installed by the skill itself, which is low-risk from an install mechanism perspective.
Credentials
Registry metadata declares no required environment variables, but both SKILL.md and the script rely on sensitive environment variables (MODEL_VIDEO_API_KEY or ARK_API_KEY). SKILL.md also mentions VOLCENGINE_ACCESS_KEY and VOLCENGINE_SECRET_KEY fallback which the script does not implement — this discrepancy is concerning because sensitive credentials are involved but not declared in the metadata. The script will send prompts and optionally base64-encoded image data to the Ark service, which is expected but should be explicit in the metadata.
Persistence & Privilege
The skill does not request permanent presence (always is false), does not modify other skill configs, and does not require elevated system privileges. It will create directories matching the provided filename path and write the downloaded video file, which is expected behavior.
What to consider before installing
This skill appears to be a simple wrapper over Volcengine's Ark content-generation API and downloads the resulting video, which aligns with its stated purpose. However: (1) the registry lists no required environment variables but the script needs an API key (MODEL_VIDEO_API_KEY or ARK_API_KEY) — be prepared to provide a valid key before running; (2) SKILL.md claims an additional fallback using VOLCENGINE_ACCESS_KEY and VOLCENGINE_SECRET_KEY, but that logic is not present in the code — treat that claim as inaccurate; (3) the script will send your text prompt and any provided image (it may convert a local image to a base64 data URI) to the Ark API and will download the returned video URL — only use with a trusted API endpoint and avoid embedding secrets in prompts or image metadata; (4) source and homepage are unknown — if you need stronger assurance, request provenance (author, official repo, or signed release) or run the script in an isolated environment. If you accept these caveats and can supply the required API key, the skill is usable; otherwise proceed cautiously or seek a version with clearer credential handling and provenance.Like a lobster shell, security has layers — review code before you run it.
latestvk977rypa5fcs3a85k0yf2bc89x80w4qq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.