← Back to Skills Marketplace
145
Downloads
1
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install ponyflash
Description
Generate images, videos, speech audio, and music using the PonyFlash Python SDK. Also handle local media editing with FFmpeg, including clip, concat, transco...
Usage Guidance
What to consider before installing/using this skill:
- Secret handling: The SKILL.md asks you to provide a PonyFlash API key (PONYFLASH_API_KEY). The registry metadata does not declare that key — treat this as a red flag and avoid pasting secrets directly into public chat logs. Prefer setting the API key in a secure per-agent secret store or as an environment variable scoped to the agent process, not in an open chat message.
- Runtime installs: The instructions tell you to run `pip install ponyflash` at runtime. Before doing that, review the 'ponyflash' package on PyPI (or its source repository) to ensure it is legitimate and inspect its code. Consider installing in a fresh virtualenv or sandbox rather than system-wide.
- External downloads: The included scripts download subtitle fonts from mirrors.aliyun.com and jsdelivr. Those are public CDNs; this behavior is plausible, but confirm you are comfortable with the network calls and the specific URLs (you can override them with PONYFLASH_NOTO_FONT_URL).
- Local script behavior: The shell and Python scripts operate on local files and create caches under ~/.cache/ponyflash/fonts and temporary task directories. If you run media_ops.sh or ensure_subtitle_fonts.sh, they will read/write those locations. Run these scripts in a controlled workspace and inspect them first if you have privacy concerns.
- How to reduce risk:
- Do not paste API keys into chat. Configure PONYFLASH_API_KEY via your agent's secret/environment configuration or provide it interactively in a private, secure channel if your agent supports it.
- Inspect the 'ponyflash' SDK source or pin a known-good version before installing. Use a virtualenv or container for runtime installs.
- If you only need local FFmpeg editing, you can avoid the cloud path — the FFmpeg scripts do not require the API key.
- If you must run the skill, run it in a sandbox or test environment first and verify network activity (which hosts the SDK communicates with) and the outputs before trusting it with sensitive data.
- What would change this assessment: If the registry metadata is updated to explicitly declare required env vars (PONYFLASH_API_KEY) and primary credential, and if there is a clear, discoverable, trusted source for the 'ponyflash' SDK (official GitHub/PyPI with matching provenance), my confidence would increase toward 'benign'. Conversely, evidence of the 'ponyflash' pip package being untrusted/malicious would raise severity.
Overall: the skill appears to implement the advertised features, but the undeclared API-key dependency, the recommendation to paste the key into chat, and runtime package downloads are coherence and operational-risk issues — proceed with caution.
Capability Analysis
Type: OpenClaw Skill
Name: ponyflash
Version: 1.0.0
The 'ponyflash' skill bundle is a legitimate tool for AI media generation and local video editing. It provides a well-structured interface for the PonyFlash Python SDK and includes robust helper scripts (media_ops.sh, check_ffmpeg.sh, build_ass_subtitles.py) for FFmpeg operations like trimming, transcoding, and subtitle burn-in. The scripts demonstrate good security practices, such as proper shell quoting and specific escaping for FFmpeg filter paths. While it requires an API key and performs network requests to fetch subtitle fonts (from mirrors.aliyun.com or jsdelivr.net), these actions are transparently documented and directly support the stated functionality. No evidence of malicious intent, data exfiltration, or harmful prompt injection was found.
Capability Assessment
Purpose & Capability
The skill claims both PonyFlash cloud generation and local FFmpeg editing — that mapping is coherent. However, the registry metadata declares no required environment variables or primary credential, while the SKILL.md explicitly requires a PONYFLASH_API_KEY for cloud tasks. That mismatch (undeclared API key requirement) is an incoherence worth flagging.
Instruction Scope
Runtime instructions ask the agent to: prompt the user for an API key (and suggest pasting it into chat), export it as PONYFLASH_API_KEY, pip install the 'ponyflash' package, run SDK calls to verify balance, run local shell scripts (check_ffmpeg.sh, media_ops.sh), and download subtitle fonts. Asking users to paste secrets into chat and instructing runtime package installation are both scope-expanding behaviors that require user caution.
Install Mechanism
The skill has no formal install spec, but SKILL.md tells the agent/user to run `pip install ponyflash` at runtime. That causes code to be pulled from PyPI (or another pip index) when executed. The included shell scripts also download fonts from two external URLs (mirrors.aliyun.com and jsdelivr). These are plausible for the use-case but increase attack surface compared to a purely instruction-only skill — review the 'ponyflash' package and the font sources before running.
Credentials
The registry lists no required env vars, yet SKILL.md and scripts use/expect: PONYFLASH_API_KEY (sensitive), PONYFLASH_FONT_DIR / PONYFLASH_NOTO_FONT_URL (optional), HOME and PATH. The skill also directs the user to paste the API key into chat. Requesting an API key is reasonable for a cloud SDK, but the missing declaration in metadata and the recommendation to paste the key in chat are both problematic from a credential-proportionality and secret-handling perspective.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and only writes local cache and temporary output files (e.g., ~/.cache/ponyflash/fonts/ and temp task dirs). This is expected for subtitle/font caching and media processing. No elevated or persistent platform privileges are requested.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install ponyflash - After installation, invoke the skill by name or use
/ponyflash - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of PonyFlash skill for AI-powered media generation and local editing.
- Supports cloud-based image, video, speech, and music generation using the PonyFlash Python SDK (API key required).
- Enables local media editing with FFmpeg: clip, concatenate, transcode, audio extraction, frame capture, and subtitle capabilities.
- Automatically guides setup for PonyFlash API and local FFmpeg dependencies based on task.
- Provides workflow templates ("Creative Playbooks") for multi-step productions.
- Separates cloud media generation and local editing into clear capability paths, with step-by-step instructions for each.
Metadata
Frequently Asked Questions
What is PonyFlash - Media Generation Router?
Generate images, videos, speech audio, and music using the PonyFlash Python SDK. Also handle local media editing with FFmpeg, including clip, concat, transco... It is an AI Agent Skill for Claude Code / OpenClaw, with 145 downloads so far.
How do I install PonyFlash - Media Generation Router?
Run "/install ponyflash" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is PonyFlash - Media Generation Router free?
Yes, PonyFlash - Media Generation Router is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does PonyFlash - Media Generation Router support?
PonyFlash - Media Generation Router is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created PonyFlash - Media Generation Router?
It is built and maintained by Ponyflash (@leothebravest); the current version is v1.0.0.
More Skills