volcengine-video-generate
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward Volcengine video-generation helper, but users should review its API-key use, external prompt/image upload, and local output-file path.
Before installing, confirm you trust the Volcengine/Ark service and SDK, use the least-privileged API key available, avoid sending sensitive prompts or local images, and choose a safe output filename in a directory where writing or overwriting files is acceptable.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may use credentials that can authorize cloud API calls and potentially incur account usage or cost.
The skill relies on cloud-service credentials. That is expected for a Volcengine video-generation integration, but users should prefer scoped API keys and note that the registry metadata does not declare these environment variables.
it will try to read the `MODEL_VIDEO_API_KEY` or `ARK_API_KEY` environment variables... use `VOLCENGINE_ACCESS_KEY` and `VOLCENGINE_SECRET_KEY`
Use a scoped Ark/model API key when possible, avoid broad cloud account keys unless necessary, and confirm expected billing and permissions before use.
Prompts and optional local image contents may be sent to Volcengine for processing.
When a local first-frame file is supplied, the script base64-encodes it and sends it with the prompt to the external Ark content-generation API. This is purpose-aligned, but it crosses a local-to-cloud data boundary.
with open(image_input, "rb") as image_file: ... return f"data:{mime_type};base64,{encoded_string}" ... client.content_generation.tasks.create(model=model_name, content=content)Do not provide confidential prompts or local image files unless you are comfortable sending them to the provider.
If given an unsafe path, the script could write or overwrite a local file at that path.
The script writes the downloaded video to the caller-provided filename and creates directories as needed. That is expected for the stated purpose, but the artifacts do not restrict the output path.
dirname = os.path.dirname(filename) ... os.makedirs(dirname, exist_ok=True) ... urllib.request.urlretrieve(video_url, filename)
Save output under a known project or downloads directory and avoid protected or important existing file paths.
Users may need to install the required SDK separately and should ensure they get it from a trusted source.
The script depends on an external SDK, but the supplied artifacts include no install spec or pinned dependency information. No malicious install behavior is shown, but dependency provenance is not fully documented.
from volcenginesdkarkruntime import Ark
Install the Volcengine/Ark SDK from the official package source and verify version and provenance before running the skill.