Video Producer
Security checks across malware telemetry and agentic risk
Overview
The video-generation purpose is plausible, but the skill embeds provider keys and builds shell commands from video text, which creates real local command-execution and credential-boundary risk.
Review this skill before installing. Use it only in an isolated workspace, remove the embedded API keys, supply your own credentials securely, and do not pass untrusted text into it until the shell-command construction is fixed and the external helper scripts are bundled or verified.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or accidentally unsafe script line could cause the user's machine to run unintended shell commands with the user's permissions.
The command is executed through a shell and includes TTS text derived from the video scenes. Escaping only double quotes does not prevent shell expansion such as command substitution inside double quotes.
const cmd = 'MINIMAX_API_KEY=' + CONFIG.ttsApiKey + ' python3 "' + CONFIG.ttsScript + '" "' + text.replace(/"/g, '\\"') + '" --output "' + outputFile + '"'; ... execSync(cmd, { encoding: 'utf-8', timeout: 60000 });Replace execSync shell strings with execFile/spawn argument arrays, pass the API key through the env option, and reject or safely encode untrusted scene text.
Requests may be associated with an embedded third-party account, and the exposed keys could be abused, revoked, or create unclear billing and data-ownership boundaries.
The code contains live-looking fallback MiniMax API keys instead of requiring the user to provide credentials, while the registry metadata declares no required env vars or primary credential.
ttsApiKey: process.env.MINIMAX_API_KEY || 'sk-api-h-4sIEVwz...', imageApiKey: process.env.MINIMAX_IMAGE_API_KEY || 'sk-cp-1VnmtfYM...'
Remove hardcoded keys, declare the required MiniMax credentials in metadata, and require users to supply their own API keys via environment variables or a secure credential store.
The skill may fail unpredictably or run unreviewed code from neighboring directories if those paths exist.
At runtime the skill depends on and executes sibling scripts that are not included in the provided file manifest or install specification.
ttsScript: path.join(__dirname, '../../minimax-tts-cn/scripts/tts.py'), directorScript: path.join(__dirname, '../../video-director/scripts/plan.js')
Bundle or pin these helper dependencies, declare them in the install requirements, and avoid automatically executing code outside the skill package without clear user approval.
Video topics and image prompts may be sent to a third-party AI provider.
The skill sends generated image prompts to the MiniMax API. This is purpose-aligned for AI material generation, but the provider/data flow is not declared in the registry metadata.
hostname: 'api.minimaxi.com', path: '/v1/image_generation', method: 'POST' ... prompt: prompt ... 'Authorization': 'Bearer ' + CONFIG.imageApiKey
Disclose the provider in the skill metadata and avoid putting private or sensitive information in prompts unless the user accepts MiniMax's data handling terms.