Boosta Long to Shorts
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: boosta-long-to-shorts Version: 1.0.0 The OpenClaw skill 'boosta-long-to-shorts' is designed to interact with the Boosta API for video processing. The `scripts/boosta_job.py` script securely handles the `BOOSTA_API_KEY` by reading it from environment variables and using it in `Authorization` headers for requests to `https://boosta.pro`. Input validation is performed for `video_type` via `argparse` choices, and network calls are made using `urllib.request` without dangerous shell commands. The `SKILL.md` and `README.md` provide clear, legitimate instructions for the AI agent and users, with no evidence of prompt injection attempts or malicious directives. All files align with the stated purpose, lacking any indicators of data exfiltration, persistence mechanisms, or other harmful behaviors.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with your API key, the skill can submit video-processing jobs and may use Boosta credits.
The bundled script can create Boosta processing jobs through the API. This is exactly the skill's purpose, but it is an external account-affecting action.
def submit_job(self, video_url, video_type, config_name=None): ... return self._request("POST", "/jobs", payload)Use it only when you intend to create or check Boosta jobs, and review the video URL, video_type, and config before submitting.
Anyone or any agent process with this environment variable can act on the associated Boosta account within the exposed API operations.
The script reads a Boosta API key from the environment and uses it as a bearer credential. This is expected for the integration, and the artifacts do not show the key being stored or printed.
api_key = os.getenv("BOOSTA_API_KEY") ... headers = {"Authorization": f"Bearer {self.api_key}"}Store the API key securely, avoid sharing logs or shells that expose it, and rotate the key if it may have been disclosed.
Users have less registry-level assurance that the installed package corresponds to the referenced repository.
The registry metadata does not identify a verified source, even though the skill files reference a GitHub repository. This is a provenance gap to notice before installation.
Source: unknown
Install from a trusted registry path and, if using the GitHub/npx path, verify the repository and contents before relying on the skill.