Auto Shorts Repurposer
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: auto-shorts-repurposer Version: 1.0.0 The skill bundle is clearly benign. It contains strong, explicit instructions across multiple files (`SKILL.md`, `references/auth.md`, `references/safety.md`) that forbid malicious actions such as publishing content, requesting user credentials, storing API keys, or exfiltrating source media. The documentation consistently reinforces a 'drafts only' and 'analysis-only' scope, and any mentioned network interactions (e.g., transcription APIs, webhooks) are for legitimate, stated purposes with security best practices outlined. There is no evidence of prompt injection attempts, malicious execution, data exfiltration, or obfuscation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user chooses an external transcription service, the key could authorize provider usage or billing, so it should be handled carefully.
The skill may rely on a user-provided transcription-service API key, which is sensitive account authority, but the instruction scopes it to the relevant service and explicitly says not to store it or request posting credentials.
If using a transcription service, use user-managed API keys and do not store them in files. Never request social login or posting credentials.
Use a least-privilege transcription key only when needed, avoid sharing social-media credentials, and revoke or rotate the key if it is accidentally exposed.
Private media, URLs, or transcripts could be shared with a transcription provider if the user chooses that workflow.
Optional provider calls could send media URLs or transcript-related data outside the local environment, though the artifact frames this as optional, minimal, and provider-documented.
If a transcription API is used, follow the provider's official docs and keep requests minimal.
Prefer local processing for sensitive media, confirm the provider and data sent before using an API, and avoid sending private conversations or sensitive personal data.