hidream-model-gen
v1.0.5Generate images and videos using Vivago AI (智小象) platform. Supports text-to-image, image-to-image, image-to-video, and keyframe-to-video generation. Use when...
⭐ 0· 210·0 current·0 all-time
byharry zhu@zhy2015
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the code and manifest: the code implements text->image, img->video, keyframe->video, template handling, and uploads to vivago.ai endpoints. The single required env var (HIDREAM_AUTHORIZATION) is exactly the API bearer token the client uses.
Instruction Scope
SKILL.md and the CLI scripts instruct the agent to call the packaged Python scripts, upload local images to Vivago (via pre-signed URLs), poll for results, and save outputs to an assets/ directory. The runtime instructions and code operate within that scope and do not request or read unrelated system secrets or remote endpoints outside vivago.ai and its storage domains.
Install Mechanism
No registry install spec is declared (skill is instruction-only in registry), but a requirements.txt and full Python source are included in the package. Installation is the normal pip-based flow (pip install -r requirements.txt). No downloads from arbitrary URLs or extract/install steps were found.
Credentials
The skill requires one environment variable (HIDREAM_AUTHORIZATION) which is used as a Bearer token. Some scripts reference HIDREAM_TOKEN as a fallback and mention deprecated STORAGE_AK/STORAGE_SK — these are not required for normal operation but appear as backward-compatible fallbacks. No unrelated credentials (e.g., AWS keys, GitHub tokens) are requested.
Persistence & Privilege
The skill does not request always: true and does not modify other skills or system-wide agent settings. It writes generated assets to a local assets/ directory (and /tmp for intermediate files) which is expected behavior for a generator tool.
Assessment
This skill appears to do what it says: it uploads images and requests generation from Vivago (vivago.ai) using the HIDREAM_AUTHORIZATION bearer token. Before installing or running it: 1) Only provide a Vivago API token you control and understand (keep it secret). 2) Be aware that any images you pass will be uploaded to Vivago's servers — avoid sending sensitive or private images. 3) Verify you trust the Vivago service and check its terms/privacy (retention & reuse of images). 4) Because the package includes executable Python code, inspect the code if you run it in sensitive environments; consider running it in an isolated environment (container/VM) and review network egress policies. 5) Note minor inconsistencies: the registry lists no install spec even though requirements.txt and source files are included, and some scripts reference an alternate env var (HIDREAM_TOKEN) and deprecated STORAGE_AK/STORAGE_SK — you can ignore those or set HIDREAM_AUTHORIZATION as instructed. 6) If you need higher assurance, ask the publisher for provenance (homepage or repository) — the skill's source/homepage is not provided in the metadata.Like a lobster shell, security has layers — review code before you run it.
latestvk97e3652ghmycgv8wxqseemek5836mk1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
EnvHIDREAM_AUTHORIZATION