PonyFlash - Media Generation Router

Generate images, videos, speech audio, and music using the PonyFlash Python SDK. Also handle local media editing with FFmpeg, including clip, concat, transco...

What to consider before installing/using this skill: - Secret handling: The SKILL.md asks you to provide a PonyFlash API key (PONYFLASH_API_KEY). The registry metadata does not declare that key — treat this as a red flag and avoid pasting secrets directly into public chat logs. Prefer setting the API key in a secure per-agent secret store or as an environment variable scoped to the agent process, not in an open chat message. - Runtime installs: The instructions tell you to run `pip install ponyflash` at runtime. Before doing that, review the 'ponyflash' package on PyPI (or its source repository) to ensure it is legitimate and inspect its code. Consider installing in a fresh virtualenv or sandbox rather than system-wide. - External downloads: The included scripts download subtitle fonts from mirrors.aliyun.com and jsdelivr. Those are public CDNs; this behavior is plausible, but confirm you are comfortable with the network calls and the specific URLs (you can override them with PONYFLASH_NOTO_FONT_URL). - Local script behavior: The shell and Python scripts operate on local files and create caches under ~/.cache/ponyflash/fonts and temporary task directories. If you run media_ops.sh or ensure_subtitle_fonts.sh, they will read/write those locations. Run these scripts in a controlled workspace and inspect them first if you have privacy concerns. - How to reduce risk: - Do not paste API keys into chat. Configure PONYFLASH_API_KEY via your agent's secret/environment configuration or provide it interactively in a private, secure channel if your agent supports it. - Inspect the 'ponyflash' SDK source or pin a known-good version before installing. Use a virtualenv or container for runtime installs. - If you only need local FFmpeg editing, you can avoid the cloud path — the FFmpeg scripts do not require the API key. - If you must run the skill, run it in a sandbox or test environment first and verify network activity (which hosts the SDK communicates with) and the outputs before trusting it with sensitive data. - What would change this assessment: If the registry metadata is updated to explicitly declare required env vars (PONYFLASH_API_KEY) and primary credential, and if there is a clear, discoverable, trusted source for the 'ponyflash' SDK (official GitHub/PyPI with matching provenance), my confidence would increase toward 'benign'. Conversely, evidence of the 'ponyflash' pip package being untrusted/malicious would raise severity. Overall: the skill appears to implement the advertised features, but the undeclared API-key dependency, the recommendation to paste the key into chat, and runtime package downloads are coherence and operational-risk issues — proceed with caution.

Type: OpenClaw Skill Name: ponyflash Version: 1.0.0 The 'ponyflash' skill bundle is a legitimate tool for AI media generation and local video editing. It provides a well-structured interface for the PonyFlash Python SDK and includes robust helper scripts (media_ops.sh, check_ffmpeg.sh, build_ass_subtitles.py) for FFmpeg operations like trimming, transcoding, and subtitle burn-in. The scripts demonstrate good security practices, such as proper shell quoting and specific escaping for FFmpeg filter paths. While it requires an API key and performs network requests to fetch subtitle fonts (from mirrors.aliyun.com or jsdelivr.net), these actions are transparently documented and directly support the stated functionality. No evidence of malicious intent, data exfiltration, or harmful prompt injection was found.