Short Video Agent Kit
PassAudited by VirusTotal on May 6, 2026.
Overview
Type: OpenClaw Skill Name: short-video-agent-kit Version: 0.1.0 The skill bundle provides instructions and configuration for the 'short-video-agent-kit', an MCP-compatible tool for managing AI video generation payloads. The documentation in SKILL.md includes explicit safety guidelines, prioritizing privacy audits and dry-run modes while warning against the exposure of API keys or OAuth tokens. The execution methods (npx/npm exec) are standard for this ecosystem, and no indicators of malicious intent, data exfiltration, or harmful prompt injection were found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the setup command will execute code from the npm package, and an unpinned package may change over time.
The skill instructs users to run an external npm package via npm exec/npx, and the shown command does not pin a package version. This is central to the skill's purpose, but users should verify the package provenance before running it.
`npm exec --yes --package=short-video-agent-kit -- short-video-agent-kit doctor` ... `"command": "npx", "args": ["-y", "short-video-agent-kit"]`
Verify the npm package and GitHub repository, consider pinning a known-good version, and run the doctor/manifest checks before granting provider credentials.
If live mode is enabled, prompts or assets may be sent to external providers and may incur cost.
The artifact shows the tool can make live calls to paid video providers. The instruction includes appropriate user-consent boundaries, so this is a purpose-aligned note rather than a concern.
Dry-run is the default. Only call paid providers when the user explicitly enables live mode and owns the prompts/assets.
Keep dry-run mode until you intentionally want a live provider call, confirm content rights, and approve any paid generation step explicitly.
Provider tokens or API keys could authorize paid actions or access provider accounts if configured.
The registry signals that OAuth or other sensitive provider credentials may be used, while the requirements section does not list exact credential variables. This is expected for multi-provider video integrations but should be noticed by users.
Capability signals: requires-oauth-token; requires-sensitive-credentials
Use least-privilege provider credentials, avoid pasting secrets into chat, and rotate/revoke tokens if they are exposed.