中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:23 hr ago Rescan
5 /100
ark-video-storyboard
Generate storyboard and prompts from scene description, confirm with user, then optionally submit multi-segment video generation tasks to Volcengine Ark API
Legitimate video storyboard generation skill using Volcengine's Ark API with no malicious behavior detected.
Skill Nameark-video-storyboard
Duration41.9s
Enginepi
Safe to install
The skill is safe to use. Consider documenting subprocess/curl usage explicitly in SKILL.md for transparency.

Findings 1 items

Severity Finding Location
Low
Shell execution not explicitly documented Doc Mismatch
SKILL.md describes the workflow and API usage but does not explicitly mention that subprocess with curl commands is used for API calls. However, shell:WRITE is declared in the tool mapping.
Uses scripts/ for API submission and polling
→ Add explicit mention of shell/curl usage in SKILL.md capabilities section
 SKILL.md:1
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE WRITE ✓ Aligned Downloads videos to ~/.openclaw/media/
Shell WRITE WRITE ✓ Aligned subprocess.run with curl commands in submit_segment.py:36-40, download_video.py:…
Network READ READ ✓ Aligned API calls to https://ark.cn-beijing.volces.com/api/v3/
Environment READ READ ✓ Aligned Reads ARK_API_KEY environment variable in submit_segment.py:18-19
2 findings
🔗
Medium External URL 外部 URL
https://ark.cn-beijing.volces.com/api/v3/contents/generations/tasks
references/api.md:5
🔗
Medium External URL 外部 URL
https://ark.cn-beijing.volces.com/api/v3/contents/generations/tasks/
references/api.md:34

File Tree

11 files · 34.0 KB · 888 lines
Markdown 5f · 467L Python 6f · 421L
├─ 📁 references
│ ├─ 📝 api.md Markdown 91L · 3.7 KB
│ ├─ 📝 examples.md Markdown 14L · 912 B
│ ├─ 📝 prompt-rules.md Markdown 32L · 746 B
│ └─ 📝 storyboard-schema.md Markdown 65L · 1.7 KB
├─ 📁 scripts
│ ├─ 🐍 build_storyboard.py Python 59L · 2.6 KB
│ ├─ 🐍 download_video.py Python 74L · 2.5 KB
│ ├─ 🐍 get_task_result.py Python 46L · 1.4 KB
│ ├─ 🐍 poll_task_until_done.py Python 58L · 1.9 KB
│ ├─ 🐍 run_full_generation.py Python 123L · 5.2 KB
│ └─ 🐍 submit_segment.py Python 61L · 2.0 KB
└─ 📝 SKILL.md Markdown 265L · 11.4 KB

Security Positives

✓ All network requests go to legitimate Volcengine API endpoint (ark.cn-beijing.volces.com)
✓ API key access follows documented hierarchy (env var → config file)
✓ Confirmation-first workflow prevents accidental execution
✓ Videos are downloaded locally to ~/.openclaw/media/ not exfiltrated
✓ No credential harvesting beyond user's own ARK_API_KEY
✓ No obfuscation, base64 execution, or anti-analysis techniques
✓ Clear error handling with user-facing messages
✓ Sequential segment submission prevents race conditions