← Back to Skills Marketplace
925
Downloads
0
Stars
1
Active Installs
2
Versions
Install in OpenClaw
/install qwen-video
Description
Generate videos using Alibaba Cloud DashScope Wan (通义万相) text-to-video (t2v) API (e.g., wan2.6-t2v). Use when the user asks to create a short video from a te...
Usage Guidance
This skill appears to do what it says (submit a DashScope Wan t2v job, poll it, and download the mp4), but there are several things you should consider before installing or running it:
- Metadata mismatch: The registry claims no required environment variables or binaries, yet the SKILL.md and scripts require DASHSCOPE_API_KEY and CLI tools (curl, bash, python3). Treat the manifest as incomplete and verify you provide only a key with least privilege.
- TLS verification disabled: The scripts use curl -k which skips certificate validation. Prefer removing -k to ensure TLS certificates are checked, or only run the scripts in a trusted network if you cannot change them.
- Prompt / JSON handling: submit.sh interpolates prompt text directly into JSON; avoid running untrusted prompts that might break the JSON or include unexpected characters. Consider sanitizing or escaping input before use.
- Filesystem writes: The skill will download and write video files to paths you specify. Ensure you choose a safe output path and run in an environment where writing is acceptable (e.g., not a sensitive system directory).
Recommended actions: review the scripts locally, add DASHSCOPE_API_KEY to the skill manifest or your environment, ensure curl and python3 are installed, remove the -k flags or validate certificates, and consider running first in an isolated environment. If the publisher can update the package metadata to declare required env vars and binaries and remove -k, the incoherence would be resolved and my confidence would increase.
Capability Analysis
Type: OpenClaw Skill
Name: qwen-video
Version: 1.1.0
The skill is suspicious due to two significant vulnerabilities. All `curl` commands in `scripts/generate.sh`, `scripts/poll.sh`, and `scripts/submit.sh` use the `-k` (insecure) flag, disabling SSL certificate validation and making API communication vulnerable to Man-in-the-Middle (MITM) attacks. Furthermore, `scripts/submit.sh` directly embeds user-provided `$PROMPT` and `$AUDIO_URL` into a JSON payload without proper escaping, creating a JSON injection vulnerability that could lead to malformed API requests or unexpected behavior.
Capability Assessment
Purpose & Capability
The skill's purpose (submit/poll/download t2v jobs to DashScope Wan) matches the scripts' behavior, but the registry metadata claims no required env vars or binaries while the SKILL.md and scripts clearly require DASHSCOPE_API_KEY and command-line tools (curl, bash, python3). The missing metadata declarations are an incoherence: a video-submit skill legitimately needs the API key and networking tools, so the manifest should list them.
Instruction Scope
SKILL.md and the included scripts limit themselves to submitting an async job, polling status, and downloading the mp4 (expected). However: (1) all curl invocations include -k which disables TLS verification (weakens transport security); (2) submit.sh constructs JSON by interpolating user-supplied prompt and other fields without strict escaping (could break or be abused if prompts contain quotes/newlines); (3) scripts write downloaded media to arbitrary filesystem paths (expected for a downloader but the user should be aware). The instructions do not attempt to read unrelated files or secrets beyond the API key.
Install Mechanism
No install spec is present (instruction-only with shipped scripts). That is the lowest-risk install pattern. The only risk is that the runtime requires command-line tools which are not declared in registry metadata (see purpose_capability).
Credentials
The scripts and SKILL.md require a single credential, DASHSCOPE_API_KEY, which is proportionate to the stated purpose. The problem is the registry metadata does not declare this required env var (it lists none). Also the skill does not request other unrelated secrets, which is good.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It runs on demand and writes only its output media to the filesystem (as expected).
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install qwen-video - After installation, invoke the skill by name or use
/qwen-video - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
Add advanced features: multi-shot, auto audio, custom audio, silent video, negative prompt, and model comparison table
v1.0.0
Initial release - Qwen/Wan video generation via DashScope API
Metadata
Frequently Asked Questions
What is Qwen Video (Wan)?
Generate videos using Alibaba Cloud DashScope Wan (通义万相) text-to-video (t2v) API (e.g., wan2.6-t2v). Use when the user asks to create a short video from a te... It is an AI Agent Skill for Claude Code / OpenClaw, with 925 downloads so far.
How do I install Qwen Video (Wan)?
Run "/install qwen-video" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Qwen Video (Wan) free?
Yes, Qwen Video (Wan) is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Qwen Video (Wan) support?
Qwen Video (Wan) is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Qwen Video (Wan)?
It is built and maintained by 547895019 (@547895019); the current version is v1.1.0.
More Skills