Short Video Agent Kit
AdvisoryAudited by Static analysis on May 6, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the setup command will execute code from the npm package, and an unpinned package may change over time.
The skill instructs users to run an external npm package via npm exec/npx, and the shown command does not pin a package version. This is central to the skill's purpose, but users should verify the package provenance before running it.
`npm exec --yes --package=short-video-agent-kit -- short-video-agent-kit doctor` ... `"command": "npx", "args": ["-y", "short-video-agent-kit"]`
Verify the npm package and GitHub repository, consider pinning a known-good version, and run the doctor/manifest checks before granting provider credentials.
If live mode is enabled, prompts or assets may be sent to external providers and may incur cost.
The artifact shows the tool can make live calls to paid video providers. The instruction includes appropriate user-consent boundaries, so this is a purpose-aligned note rather than a concern.
Dry-run is the default. Only call paid providers when the user explicitly enables live mode and owns the prompts/assets.
Keep dry-run mode until you intentionally want a live provider call, confirm content rights, and approve any paid generation step explicitly.
Provider tokens or API keys could authorize paid actions or access provider accounts if configured.
The registry signals that OAuth or other sensitive provider credentials may be used, while the requirements section does not list exact credential variables. This is expected for multi-provider video integrations but should be noticed by users.
Capability signals: requires-oauth-token; requires-sensitive-credentials
Use least-privilege provider credentials, avoid pasting secrets into chat, and rotate/revoke tokens if they are exposed.