Fitness Recipes AI
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill mostly matches its video-generation purpose, but it includes a hard-coded ElevenLabs API key and under-declared credential/automation behavior that should be reviewed before use.
Before installing or running this skill, remove and rotate the hard-coded ElevenLabs key, use only your own scoped API keys, verify provider costs and quotas, avoid enabling cron unless you want daily background generation, and do not provide Postiz/TikTok credentials until the posting implementation and approval flow are clear.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running or sharing the skill can use or expose an account the user does not control, creating unclear billing, abuse, and credential-ownership boundaries.
An included script contains a literal ElevenLabs API key instead of reading the documented ELEVENLABS_API_KEY environment variable.
ELEVENLABS_API_KEY = "sk_64a3d..."
Remove the hard-coded key, rotate it, require the user to provide ELEVENLABS_API_KEY through the environment, and declare the credential requirement in registry metadata.
Users may not realize before installation that the skill depends on paid third-party accounts and, optionally, a social-posting service credential.
The setup asks for multiple provider credentials, including an optional posting credential, while the registry-level requirements shown to the reviewer declare no required env vars or primary credential.
export FAL_API_KEY="your_fal_key" ... export POSTIZ_API_KEY="your_postiz_key" # optional
Clearly declare all required and optional credentials in metadata, and use least-privilege keys with spending limits where possible.
A user could over-trust the listing or provide a social-posting credential before seeing how public posts would be reviewed or controlled.
Public auto-posting is advertised, but the provided code does not show a Postiz/TikTok posting implementation or a review/confirmation boundary.
Posts to TikTok via Postiz (optional) or exports for manual upload
Do not provide Postiz/TikTok credentials unless the posting code and explicit user-approval flow are present and reviewed.
Recipe text, generated media metadata, and possibly local file names may be processed by external services.
The core workflow sends prompts, scripts, audio/video asset data, and API-authenticated requests to third-party providers; this is disclosed and purpose-aligned.
generates AI images via fal.ai, adds voiceover with ElevenLabs, renders video with Shotstack
Avoid using confidential content in prompts or scripts, and review each provider's retention, privacy, and billing terms.
The script may fail or require the user to install additional local media tooling that was not clearly declared up front.
The skill executes the local ffmpeg binary for media generation, which is reasonable for video creation but is not declared in the install requirements.
cmd = ["ffmpeg", "-y", ...]; subprocess.run(cmd, capture_output=True, timeout=120)
Document ffmpeg and other non-Python dependencies explicitly, and install them only from trusted sources.
If enabled, it can keep generating videos in the background and consume API credits every day.
The file documents a user-directed cron setup that would run the skill daily; the artifacts do not show automatic installation of this persistence.
Add to cron: 0 8 * * * cd /root/clawd/bots/fitness-recipes-ai && source venv/bin/activate && python3 daily_batch.py
Only add the cron job intentionally, monitor provider quotas/costs, and remove the cron entry when no longer needed.