← Back to Skills Marketplace

openlens-skill

Name: openlens-skill
Author: openclawrr

by openclawrr · GitHub ↗ · v1.0.7

cross-platform ⚠ suspicious

420

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install openlens-skill

Description

Minimalist AI video generation portal offering prompt refinement, image-to-video conversion, local saving, streaming downloads, and both GUI and CLI access.

Usage Guidance

Do not install or run this skill as-is. Key issues to address before use: - Replace/remove the bundled config.json: it contains bearer-style API keys; treat them as compromised. If you find these keys are valid, rotate them immediately at the provider and do not reuse them. - Inspect and do not execute publish.sh or any publishing automation unless you understand and intend to push this repository; publish.sh contains an absolute path and will attempt to push to GitHub/ClawHub. - Before running, create your own config.json (or delete the included one), set your API endpoints/keys locally, and keep the file out of any public repo (.gitignore is referenced but verify). Use principle of least privilege for API keys. - Run setup.sh only after reviewing it (it creates a venv and installs requirements — safe but confirm network/package choices). Run Streamlit/CLI in an isolated environment. - If you want to install the skill into a shared agent, ensure the agent's environment does not use the embedded config.json and that keys are provided via secure agent config or parameterized invocation rather than included files. Summary: functionality matches the description, but embedded secrets and publishing scripts are disproportionate and risky. Clean or remove those artifacts and rotate any possibly exposed keys before using.

Capability Analysis

Type: OpenClaw Skill Name: openlens-skill Version: 1.0.7 The OpenLens skill's core functionality is benign, designed for AI image/video generation and local file saving. However, the `config.json` file within the bundle contains a live API key (`sk-px-97d6f29fb4c79b6f21b7ae000d9dab669a4fa1ab`). This constitutes a critical credential exposure vulnerability, despite documentation (`CHANGELOG.md`, `RELEASE-v1.0.7.md`) indicating the developer's intent to protect such keys. The code itself uses this key for its stated purpose and does not exhibit malicious intent like exfiltration or unauthorized actions, but the exposure of a live credential warrants a 'suspicious' classification.

Capability Assessment

ℹ Purpose & Capability

The code (skill_main.py, cli.py, app.py, openlens-web/) implements T2I/T2V/I2V/V2V and a Streamlit GUI exactly as described; network calls and local saving behavior are coherent with the stated purpose. However, the repository includes a populated config.json containing API keys, which contradicts the SKILL.md guidance that users should put their own credentials into config.json and suggests the bundle was published with secrets embedded—this is not necessary for the stated purpose and is disproportionate.

⚠ Instruction Scope

SKILL.md instructs running the GUI/CLI and editing config.json for API credentials, which matches the code. But runtime files include actions beyond simple generation: a publish.sh that changes directories to an absolute user path and performs git push/clawhub publish, and GitHub Actions publish.yml. While these scripts are inert unless executed, they give the skill the capability to push code or trigger remote publication if run. The code itself reads/writes only local config.json and outputs/, but the included publish utilities and hard-coded config file expand scope unexpectedly.

✓ Install Mechanism

There is no remote download or package-install step in the manifest; setup.sh uses standard venv + pip and requirements.txt. No extraction from arbitrary URLs or unusual install locations is present. This is a low-risk, typical local Python install mechanism.

⚠ Credentials

The skill declares no required environment variables, which is consistent, but the repository contains a config.json with populated API keys (video_api_key and text_api_key appear as bearer tokens). Bundling credentials inside the skill package is disproportionate and dangerous: it exposes secrets to anyone with the package and encourages reuse of embedded credentials. The tool_definition and code expect a user-supplied API key parameter, so embedding keys is unnecessary and inconsistent with least privilege.

ℹ Persistence & Privilege

The manifest does not request persistent or elevated privileges (always:false). The skill does not modify other skills or global configs. That said, included scripts (publish.sh and publish.yml) are able to push to GitHub / ClawHub when executed and publish.sh references an absolute workspace path (/Users/clawdbot/.openclaw/workspace/openlens-skill), which could cause accidental repository leakage if run in a different environment or by an automated process—this increases blast radius if a user executes the script without review.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install openlens-skill
After installation, invoke the skill by name or use /openlens-skill
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.7

- Added changelog and release notes files for version 1.0.7. - Introduced config.json for easier API setup. - New video outputs saved in the outputs directory.

v1.0.6

- Initial release of openlens-skill version 1.0.6. - Added main skill logic (skill_main.py). - Introduced configuration example (config.example.json). - Added web app backend with requirements (openlens-web/app.py, openlens-web/requirements.txt). - Included documentation (openlens-web/README.md, tool_definition.json).

v1.0.5

- Updated app.py and manifest.json for version 1.0.5. - No changes to user-facing documentation (SKILL.md content remains the same). - General improvements or fixes included in app.py and manifest.json.

v1.0.4

Version 1.0.4 of openlens-skill - No changes were detected in this version. - SKILL.md and all other files remain unchanged.

v1.0.2

- Removed the sample config.json file from the repository. - Updated SKILL.md to use placeholder values in the configuration example for increased privacy and security.

v1.0.1

- Added configuration and publishing files: config.json, config.toml, publish.sh, and publish.yml. - Improved setup for configuration management and deployment workflows.

v1.0.0

OpenLens Skill 1.0.0 – Minimalist AI Video Generation Portal - Provides a transparent pass-through interface to private video APIs with no content filtering. - Supports both GUI (Streamlit) and CLI operation modes. - Features include LLM-based prompt refinement, image-to-video generation, auto-download and streaming of large videos, and configurable local output. - Allows manual API setup with OpenAI-style /v1/video/generations protocol compatibility. - Includes robust async polling, age verification gate (18+), and CLI automation support. - No safety middleware; fully user-controlled configuration and content.

Metadata

Slug openlens-skill

Version 1.0.7

License —

All-time Installs 0

Active Installs 0

Total Versions 7

Frequently Asked Questions

What is openlens-skill?

Minimalist AI video generation portal offering prompt refinement, image-to-video conversion, local saving, streaming downloads, and both GUI and CLI access. It is an AI Agent Skill for Claude Code / OpenClaw, with 420 downloads so far.

How do I install openlens-skill?

Run "/install openlens-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is openlens-skill free?

Yes, openlens-skill is completely free (open-source). You can download, install and use it at no cost.

Which platforms does openlens-skill support?

openlens-skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created openlens-skill?

It is built and maintained by openclawrr (@openclawrr); the current version is v1.0.7.

More Skills