volcengine-video
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears to match its stated purpose, but it requires VolcEngine API credentials and can submit paid or quota-consuming video-generation requests to an external service.
Before installing, make sure you are comfortable storing VolcEngine API keys for this skill and sending video prompts to VolcEngine. Prefer a limited-purpose key, keep the config file private, and review generation requests because they may use account quota or cost money.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the configured keys through this skill may submit video-generation or status-query requests under the user's VolcEngine account.
The skill requires delegated VolcEngine credentials. This is expected for calling the VolcEngine API, but it gives the skill authority to act on the user's VolcEngine account.
API密钥存储在 `config.json` 文件中,格式如下:
{
"access_key": "your_access_key",
"secret_key": "your_secret_key"
}Use a least-privileged VolcEngine key where possible, keep config.json private, and rotate the key if it is exposed.
A user request to generate a video can create a real task on VolcEngine and may affect billing or service quota.
The script submits a video-generation task to VolcEngine using the configured account credentials. This is the advertised purpose, but it is an external account action that may consume quota or incur costs.
"Action": "CVSync2AsyncSubmitTask" ... requests.post(request_url, headers=headers, data=req_body)
Confirm the prompt, frame count, and account to be used before submitting generation requests, especially for large or repeated jobs.