Short Video Agent Kit
PassAudited by ClawScan on May 6, 2026.
Overview
The provided skill is a coherent dry-run-first setup guide for a short-video MCP tool, with no malicious behavior evident, but users should notice it relies on an external npm/npx package and may use provider credentials for live video generation.
Before installing, verify the npm package and repository, consider pinning the package version, start with doctor/manifest/privacy-audit and dry-run surfaces, and only enable live provider mode with the specific credentials and assets you intend to use.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the setup command will execute code from the npm package, and an unpinned package may change over time.
The skill instructs users to run an external npm package via npm exec/npx, and the shown command does not pin a package version. This is central to the skill's purpose, but users should verify the package provenance before running it.
`npm exec --yes --package=short-video-agent-kit -- short-video-agent-kit doctor` ... `"command": "npx", "args": ["-y", "short-video-agent-kit"]`
Verify the npm package and GitHub repository, consider pinning a known-good version, and run the doctor/manifest checks before granting provider credentials.
If live mode is enabled, prompts or assets may be sent to external providers and may incur cost.
The artifact shows the tool can make live calls to paid video providers. The instruction includes appropriate user-consent boundaries, so this is a purpose-aligned note rather than a concern.
Dry-run is the default. Only call paid providers when the user explicitly enables live mode and owns the prompts/assets.
Keep dry-run mode until you intentionally want a live provider call, confirm content rights, and approve any paid generation step explicitly.
Provider tokens or API keys could authorize paid actions or access provider accounts if configured.
The registry signals that OAuth or other sensitive provider credentials may be used, while the requirements section does not list exact credential variables. This is expected for multi-provider video integrations but should be noticed by users.
Capability signals: requires-oauth-token; requires-sensitive-credentials
Use least-privilege provider credentials, avoid pasting secrets into chat, and rotate/revoke tokens if they are exposed.