← 返回 Skills 市场
NovaVideo
作者
onesoloapp
· GitHub ↗
· v1.0.1
· MIT-0
227
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install nova-video
功能描述
Generate images or videos using the Nova Video OpenAPI with a single sentence. Use when the user wants to generate an image, create a video, check video gene...
安全使用建议
Before installing, consider the following: (1) The SKILL.md requires an API key (NOVA_API_KEY) but the registry metadata does not declare it — ask the publisher to update metadata to declare required credentials. (2) The install text instructs agents to fetch and 'activate' a remote SKILL.md from https://nova-video.onesolo.app; that lets the remote site change the skill behavior after registry approval — avoid installing unless you trust that domain and its update process. (3) Treat NOVA_API_KEY as sensitive: do not set it unless you trust the service's privacy and retention policies, and do not set NOVA_BASE_URL to an untrusted host (it would receive your API key). (4) If you need this functionality, prefer a skill whose SKILL.md and install files are served from the registry (or from a well-known, audited domain) and whose required env vars are declared in metadata. (5) If you proceed, review network traffic and logs to ensure requests go to the expected domain and limit how long an agent is allowed to poll (15 minutes of polling ties up resources).
功能分析
Type: OpenClaw Skill
Name: nova-video
Version: 1.0.1
The skill provides image and video generation capabilities via the Nova Video API (nova-video.onesolo.app). It contains a shell injection vulnerability in the SKILL.md instructions, where the agent is directed to use curl with unsanitized variables (e.g., $IMAGE_URL and $IMAGE_RESP) derived from previous API responses. This pattern could allow a malicious or compromised API endpoint to execute arbitrary commands on the host system if the response contains shell metacharacters or command substitutions.
能力评估
Purpose & Capability
The SKILL.md describes image and video generation via the Nova Video OpenAPI, which matches the skill name and description. However, the registry metadata declares no required env vars or primary credential while the runtime instructions clearly require NOVA_API_KEY (and optionally NOVA_BASE_URL). That mismatch is unexpected.
Instruction Scope
The install instructions explicitly tell agents to 'Read https://nova-video.onesolo.app/SKILL.md' (fetch and activate remote instructions). This allows a remote site to change behavior outside the registry. The SKILL.md also instructs long polling up to 15 minutes and saving long signed URLs to files — acceptable for the task but increases data-handling surface. The remote-fetch pattern and implicit trust in an external domain are the primary scope concerns.
Install Mechanism
There is no install spec or code to write to disk (instruction-only), which is lower-risk. However, the skill's install text encourages an agent to fetch a remote SKILL.md from an external domain rather than relying solely on registry content — that is an installation-time integrity concern even though no package is installed.
Credentials
Registry metadata lists no required env vars, but SKILL.md requires NOVA_API_KEY (and optionally NOVA_BASE_URL) to operate. Requiring an API key for an external service is reasonable, but the absence of this in metadata is an inconsistency. Also, NOVA_BASE_URL being user-configurable means a user (or attacker) could point requests — and the API key — to an arbitrary endpoint.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system-wide config or other skills' credentials. Autonomous invocation is allowed (platform default) but isn't combined with other elevated privileges here.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install nova-video - 安装完成后,直接呼叫该 Skill 的名称或使用
/nova-video触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
- Added a note about a free tier: every user now gets 60 free text-to-image generations per month at no cost.
- New "Install this skill" section with direct install and OpenClaw instructions.
- No changes to API or workflow; usage remains the same for generating images and videos.
v1.0.0
NovaVideo empowers creators to bridge the gap between imagination and reality. Seamlessly generate stunning AI visuals and transform them into professional grade videos with advanced scene control and motion synthesis.
v1.0.0 — Initial Release
New Feature: Text-to-Image Generation – Create high-fidelity visuals directly from natural language prompts.
New Feature: Image-to-Video Transformation – Animate static images into cinematic video sequences with advanced AI motion synthesis.
Stability Improvements – Optimized generation speed and visual consistency.
元数据
常见问题
NovaVideo 是什么?
Generate images or videos using the Nova Video OpenAPI with a single sentence. Use when the user wants to generate an image, create a video, check video gene... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 227 次。
如何安装 NovaVideo?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install nova-video」即可一键安装,无需额外配置。
NovaVideo 是免费的吗?
是的,NovaVideo 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
NovaVideo 支持哪些平台?
NovaVideo 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 NovaVideo?
由 onesoloapp(@onesoloapp)开发并维护,当前版本 v1.0.1。
推荐 Skills