ClawHub

AIVideomaker

v1.0.14

Executes AIVideoMaker API workflows for text-to-video and image-to-video generation, including task creation, status polling, task details retrieval, and can...

1· 176·0 current·0 all-time
by@husu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required env var (AIVIDEO_API_KEY), and declared binary (node) align with the included client and workflow scripts that call https://aivideomaker.ai endpoints. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md and the scripts limit actions to creating tasks, polling status, fetching task details, and cancelling tasks. The code reads only process.env.AIVIDEO_API_KEY, CLI args (including the --payload JSON), and does not access arbitrary host files or other system credentials.
Install Mechanism
No install spec is provided (instruction-only at registry level); the package includes Node scripts only. Nothing is downloaded from untrusted URLs and no extract/install steps are declared.
Credentials
Only AIVIDEO_API_KEY is required (with optional AIVIDEO_TIMEOUT_MS and AIVIDEO_MAX_RETRIES). These variables are proportionate and justified by the API client behavior. The primary credential is declared correctly.
Persistence & Privilege
Skill is not force-included (always:false). It does not modify other skills or system-wide settings and only performs network calls to the documented API endpoints.
Assessment
This skill appears to do exactly what it says: call aivideomaker.ai to create and monitor video-generation tasks and it only needs your AIVIDEO_API_KEY. Before installing, consider: (1) Only provide an API key with the minimum necessary privileges; rotate keys regularly and do not hardcode them. (2) The API key is sent in an HTTP header named "key" — intermediaries or logs could record that header, so avoid sending highly sensitive keys through environments where network egress is monitored. (3) The skill will upload image data (including base64 data URIs) to the upstream service — do not send images you are not comfortable sharing. (4) The code uses web fetch/AbortController behavior common to newer Node versions; ensure your runtime provides fetch (Node >=18) or the agent environment supplies an HTTP fetch implementation. (5) If you need stricter guarantees, run the scripts in an isolated environment and monitor network calls or use a short-lived/revocable API key.
scripts/aivideo-client.mjs:5
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.

Like a lobster shell, security has layers — review code before you run it.

latestvk97215dv63hy9rs4s34ev1gqad83jk0b

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvAIVIDEO_API_KEY

Comments