← 返回 Skills 市场
925
总下载
0
收藏
1
当前安装
2
版本数
在 OpenClaw 中安装
/install qwen-video
功能描述
Generate videos using Alibaba Cloud DashScope Wan (通义万相) text-to-video (t2v) API (e.g., wan2.6-t2v). Use when the user asks to create a short video from a te...
安全使用建议
This skill appears to do what it says (submit a DashScope Wan t2v job, poll it, and download the mp4), but there are several things you should consider before installing or running it:
- Metadata mismatch: The registry claims no required environment variables or binaries, yet the SKILL.md and scripts require DASHSCOPE_API_KEY and CLI tools (curl, bash, python3). Treat the manifest as incomplete and verify you provide only a key with least privilege.
- TLS verification disabled: The scripts use curl -k which skips certificate validation. Prefer removing -k to ensure TLS certificates are checked, or only run the scripts in a trusted network if you cannot change them.
- Prompt / JSON handling: submit.sh interpolates prompt text directly into JSON; avoid running untrusted prompts that might break the JSON or include unexpected characters. Consider sanitizing or escaping input before use.
- Filesystem writes: The skill will download and write video files to paths you specify. Ensure you choose a safe output path and run in an environment where writing is acceptable (e.g., not a sensitive system directory).
Recommended actions: review the scripts locally, add DASHSCOPE_API_KEY to the skill manifest or your environment, ensure curl and python3 are installed, remove the -k flags or validate certificates, and consider running first in an isolated environment. If the publisher can update the package metadata to declare required env vars and binaries and remove -k, the incoherence would be resolved and my confidence would increase.
功能分析
Type: OpenClaw Skill
Name: qwen-video
Version: 1.1.0
The skill is suspicious due to two significant vulnerabilities. All `curl` commands in `scripts/generate.sh`, `scripts/poll.sh`, and `scripts/submit.sh` use the `-k` (insecure) flag, disabling SSL certificate validation and making API communication vulnerable to Man-in-the-Middle (MITM) attacks. Furthermore, `scripts/submit.sh` directly embeds user-provided `$PROMPT` and `$AUDIO_URL` into a JSON payload without proper escaping, creating a JSON injection vulnerability that could lead to malformed API requests or unexpected behavior.
能力评估
Purpose & Capability
The skill's purpose (submit/poll/download t2v jobs to DashScope Wan) matches the scripts' behavior, but the registry metadata claims no required env vars or binaries while the SKILL.md and scripts clearly require DASHSCOPE_API_KEY and command-line tools (curl, bash, python3). The missing metadata declarations are an incoherence: a video-submit skill legitimately needs the API key and networking tools, so the manifest should list them.
Instruction Scope
SKILL.md and the included scripts limit themselves to submitting an async job, polling status, and downloading the mp4 (expected). However: (1) all curl invocations include -k which disables TLS verification (weakens transport security); (2) submit.sh constructs JSON by interpolating user-supplied prompt and other fields without strict escaping (could break or be abused if prompts contain quotes/newlines); (3) scripts write downloaded media to arbitrary filesystem paths (expected for a downloader but the user should be aware). The instructions do not attempt to read unrelated files or secrets beyond the API key.
Install Mechanism
No install spec is present (instruction-only with shipped scripts). That is the lowest-risk install pattern. The only risk is that the runtime requires command-line tools which are not declared in registry metadata (see purpose_capability).
Credentials
The scripts and SKILL.md require a single credential, DASHSCOPE_API_KEY, which is proportionate to the stated purpose. The problem is the registry metadata does not declare this required env var (it lists none). Also the skill does not request other unrelated secrets, which is good.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It runs on demand and writes only its output media to the filesystem (as expected).
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install qwen-video - 安装完成后,直接呼叫该 Skill 的名称或使用
/qwen-video触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.0
Add advanced features: multi-shot, auto audio, custom audio, silent video, negative prompt, and model comparison table
v1.0.0
Initial release - Qwen/Wan video generation via DashScope API
元数据
常见问题
Qwen Video (Wan) 是什么?
Generate videos using Alibaba Cloud DashScope Wan (通义万相) text-to-video (t2v) API (e.g., wan2.6-t2v). Use when the user asks to create a short video from a te... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 925 次。
如何安装 Qwen Video (Wan)?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install qwen-video」即可一键安装,无需额外配置。
Qwen Video (Wan) 是免费的吗?
是的,Qwen Video (Wan) 完全免费(开源免费),可自由下载、安装和使用。
Qwen Video (Wan) 支持哪些平台?
Qwen Video (Wan) 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Qwen Video (Wan)?
由 547895019(@547895019)开发并维护,当前版本 v1.1.0。
推荐 Skills