A skill to help you plan, script, record, edit and publish social media videos
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill fits a video-creation workflow, but it stores an account token locally and sets up background reminder agents that can use that token and message channels later.
Install only if you trust this Humeo integration with a persistent account token and background reminders. Use a limited/revocable PAT, verify the reminder channel, inspect OpenClaw crons, and remove `~/.videoclaw_personal_mcp_token` or rotate the PAT when you no longer need the skill.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A pasted PAT may allow the agent and later background tasks to act on the user's Humeo account until the token is revoked or removed.
The skill collects an account token through chat and persists it locally for reuse. File mode 600 and masking help, but this is still high-impact credential handling that is not reflected in the declared requirements.
if token is missing/invalid, ask user to paste the PAT directly in chat ... OpenClaw agent must write the token to `~/.videoclaw_personal_mcp_token` ... set permission mode `600`
Use a least-privilege, revocable PAT if available, verify the saved file permissions, and remove or rotate the token when you stop using the skill.
Reminder agents may run later without the user present, call Humeo APIs, prepare handoff links, mark reminders, and send messages.
The skill defines autonomous recurring behavior that creates future agent turns. Those future agents read the stored PAT and perform account and messaging actions outside the active user session.
Runs on every heartbeat cycle (~30 min). ... Create a one-shot cron using `CronCreate` ... `"kind": "agentTurn"` ... `Read ~/.videoclaw_personal_mcp_token`
Only enable the heartbeat/calendar reminder behavior if you want background automation; inspect and remove OpenClaw crons when no longer needed.
If the preferred notification channel or session routing is wrong, recording or handoff links could be shown in an unintended place.
The reminder cron passes information and links across notification channels and a main webchat session. This is purpose-aligned for reminders, but users should know recording links may be delivered through those channels.
Send one warm message to BOTH channels: (a) deliver via Telegram announce ... (b) also call sessions_send with sessionKey 'agent:main:main' to post the same message to webchat. Include ... handoffUrl as a clickable link.
Confirm the preferred reminder channel in USER.md and avoid putting sensitive topics into reminders unless the notification channel is trusted.
Previous recordings or transcript excerpts may influence new scripts and be sent back to the Humeo API as context.
The skill may reuse excerpts from prior interview and hook transcripts as style context for new scripts. This is aligned with matching the user's voice, but it involves reusing prior personal content.
For tone continuity, fetch transcript excerpts via `GET|POST /api/mcp/interviews/transcripts/context`, then pass compact context as `transcriptText`.
Ask the agent not to use prior transcript context for sensitive projects, or use exclusions where available.
The agent can change Humeo calendar and video-editing state, and may prepare publishable outputs.
The skill can mutate edit state, calendar items, and render outputs through Humeo APIs. The artifacts generally frame these actions as part of the video workflow and often require user direction.
`POST /api/mcp/edits/apply` — apply an edit via natural language instruction ... `PATCH /api/mcp/calendar/{id}` ... `DELETE /api/mcp/calendar/{id}` ... `POST /api/mcp/renders/request`Review previews and confirm destructive-looking or public-facing actions, especially publishing, calendar deletion, and final rendering.