← 返回 Skills 市场
Aura Video
作者
ScottEverduim
· GitHub ↗
· v1.0.0
364
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install aura-video
功能描述
Generate a complete Aura Creatine TikTok/Instagram video from a JSON script. Reads the script from Google Drive, generates A-roll (Kristina image-to-video vi...
使用说明 (SKILL.md)
Aura Video Generator
Generate a complete Aura Creatine video from a single script ID.
Usage
bash {baseDir}/scripts/aura_video.sh week1_day1_vid1
Replace week1_day1_vid1 with any script ID from Google Drive/Aura Creatine/Content Pipeline/01_Scripts/.
How it works
- Load JSON script from Google Drive (
Content Pipeline/01_Scripts/\x3Cid>.json) - Generate each scene based on
typefield:a-roll→ AIML image-to-video (Kristina base image + prompt)b-roll→ Gemini Veo text-to-video (prompt only)animation→ Gemini Veo text-to-video (prompt only, animation style)
- Load voiceover MP3 from Google Drive (
voiceovers/folder) - Merge scenes with FFmpeg: concatenate clips, add voiceover, add captions
- Upload final video to Google Drive (
Content Pipeline/03_Final_Videos/) - Send video back to the chat
Script JSON format
{
"meta": {
"id": "week1_day1_vid1",
"title": "Why Women Need Creatine More"
},
"assets": {
"kristina_base_image": "Brand Kit/kristina_reference_primary.png",
"voiceover_mp3": "voiceovers/Vid 1 Why Women Need Creatine More.mp3",
"voiceover_text": "Did you know that women naturally have 70-80% lower creatine stores...",
"on_screen_captions": ["Women have 70-80% less creatine", "Bridge the energy gap", "Start with 3-5g daily"]
},
"scenes": [
{ "scene": 1, "type": "a-roll", "prompt": "Kristina sits at kitchen table...", "caption": "Women have 70-80% less creatine", "duration_seconds": 8 },
{ "scene": 2, "type": "b-roll", "prompt": "Animated bar chart showing women vs men creatine levels...", "caption": "Bridge the energy gap", "duration_seconds": 8 },
{ "scene": 3, "type": "a-roll", "prompt": "Kristina focused, smiling, typing on laptop...", "caption": "Start with 3-5g daily", "duration_seconds": 8 }
]
}
Available scripts
All scripts are in Google Drive/Aura Creatine/Content Pipeline/01_Scripts/:
week1_day1_vid1— Why Women Need Creatine Moreweek1_day2_vid1— The Creatine Myth Debunkedweek1_day3_vid1— Creatine Against Brain Fogweek1_day4_vid1— Sleep Almost An Hour Longerweek1_day5_vid1— Creatine & Depressionweek1_day6_vid1— Constantly Feeling Rushedweek1_day7_vid1— Better Memory
Notes
- All videos are rendered in 9:16 (vertical) format for TikTok/Instagram Reels
- A-roll scenes use the Kristina base image from
Brand Kit/ - Voiceover MP3s are pre-recorded and loaded from Google Drive (no ElevenLabs cost)
- Final video is ~24 seconds (3 scenes × 8 seconds)
- Output is uploaded to
Content Pipeline/03_Final_Videos/and sent to chat
安全使用建议
This skill appears to implement the advertised video pipeline, but it has several red flags you should address before installing or running it:
- Secrets & configs: The scripts expect AIML/GEMINI API keys (declared in SKILL.md) but also source $HOME/.openclaw/.env and look for TELEGRAM_BOT_TOKEN / TELEGRAM_CHAT_ID and a rclone Google Drive config ($HOME/.gdrive-rclone.ini). Make sure you understand where those files/keys would come from and do not place high-privilege credentials there unless you trust the code.
- Hidden dependencies & paths: The bash scripts call ffmpeg at a hardcoded Homebrew path and a Python binary inside another skill's venv ($HOME/.openclaw-workspace/skills/auraveo). Confirm those helper scripts and the venv are present and trusted; otherwise the skill may run arbitrary code outside its own directory.
- Missing declarations: The registry metadata did not list the environment variables, binaries, or config paths the scripts actually need. Treat that as a sign to audit the full repository and any external helper scripts before use.
- Run in isolation: If you want to test, run the pipeline in an isolated environment (dedicated VM or container) with minimal credentials and monitored network access. Verify the auraveo helper scripts and render helpers are exactly what you expect (or modify aura_video.sh to point to known-trusted paths).
- If you need to proceed: add explicit, minimal API keys in an isolated credential store, ensure rclone config only has the necessary Drive access, and inspect/replace any hardcoded absolute paths to point to vetted binaries inside the skill folder.
If you want, I can list the exact lines/locations in the scripts that reference the undeclared files and creds, or help craft a safer wrapper that limits which external commands/paths are used.
功能分析
Type: OpenClaw Skill
Name: aura-video
Version: 1.0.0
The skill bundle implements a video production pipeline that is highly vulnerable to shell injection. Specifically, scripts/aura_video.sh and scripts/aroll_watcher.sh parse JSON data from Google Drive and rclone output using 'python3 -c' and then pass these unsanitized strings directly into shell commands and subshells. While the behavior appears aligned with the stated goal of automating 'Aura Creatine' content, the lack of input validation and the direct reading of sensitive environment files ($HOME/.openclaw/.env) to extract API keys represent significant security flaws rather than intentional malice.
能力评估
Purpose & Capability
Name/description claim: generate videos from a Google Drive JSON script using AIML, Gemini, and Remotion — which matches the included code. However the registry metadata claimed no required env or binaries but the SKILL.md and scripts clearly expect API keys (AIML/GEMINI), rclone config for Google Drive, a specific ffmpeg binary, and Python scripts/venv from another skill (auraveo). These external/local paths and tools are not declared in the registry metadata, which is inconsistent and disproportionate.
Instruction Scope
Runtime scripts do more than the SKILL.md prose implies: they source $HOME/.openclaw/.env, read AIML_API_KEY and optional Telegram tokens, use rclone to copy files to/from Google Drive, call Python scripts living under $HOME/.openclaw-workspace/skills/auraveo, and call a render helper in $HOME/aura-remotion. They also optionally POST to Telegram. The instructions therefore access local dotfiles, state/log files, and external network endpoints beyond those explicitly documented; that scope creep is not declared in the registry metadata.
Install Mechanism
There is no install spec (instruction-only), which lowers supply-chain risk, but the bundle includes node project files (package.json, package-lock) and shell scripts that expect Remotion, Node/React, ffmpeg, rclone, and a Python venv to be present. Because no install steps are provided, an operator may inadvertently run scripts on a system that doesn't meet these hidden prerequisites or runs untrusted code from referenced paths.
Credentials
SKILL.md metadata lists GEMINI_API_KEY and AIML_API_KEY, which are reasonable for text/video-generation. However the scripts also read other secrets/config that were not declared: they source $HOME/.openclaw/.env (grep for AIML_API_KEY), look for TELEGRAM_BOT_TOKEN / TELEGRAM_CHAT_ID for notifications, and require an rclone Google Drive config at $HOME/.gdrive-rclone.ini. Those additional credentials and config accesses are not declared in the registry metadata, making the requested environment access broader than communicated.
Persistence & Privilege
always:false (good). But the included watcher writes state and log files to the user's home ($HOME/.aroll_watcher_state, $HOME/.aroll_watcher.log) and is intended to run from cron. More importantly, the main script executes Python helper scripts from another skill's venv ($HOME/.openclaw-workspace/skills/auraveo/venv) and calls other local helper scripts (e.g., render_animation.sh) using hardcoded absolute paths. That coupling means this skill can execute code outside its own directory, which elevates the impact if those external scripts are untrusted or malicious.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install aura-video - 安装完成后,直接呼叫该 Skill 的名称或使用
/aura-video触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of aura-video: generate complete 9:16 TikTok/Instagram videos from a single JSON script.
- Loads script and media assets from Google Drive, generates scenes with AIML and Gemini Veo, merges with Remotion and FFmpeg.
- Supports A-roll (image-to-video), B-roll (text-to-video), animation scenes, voiceover MP3, and captions.
- Final video (~24 sec, 3 scenes) is uploaded to Google Drive and sent back to chat.
元数据
常见问题
Aura Video 是什么?
Generate a complete Aura Creatine TikTok/Instagram video from a JSON script. Reads the script from Google Drive, generates A-roll (Kristina image-to-video vi... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 364 次。
如何安装 Aura Video?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install aura-video」即可一键安装,无需额外配置。
Aura Video 是免费的吗?
是的,Aura Video 完全免费(开源免费),可自由下载、安装和使用。
Aura Video 支持哪些平台?
Aura Video 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Aura Video?
由 ScottEverduim(@scotteverduim)开发并维护,当前版本 v1.0.0。
推荐 Skills