Dream Text to Video
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only skill is coherent for generating videos through a disclosed third-party API, with the main considerations being API-key protection and prompt privacy.
This skill appears benign and purpose-aligned. Before installing, confirm you trust the Dream/Newport API provider, use a limited or dedicated API key where possible, and do not submit sensitive prompt content unless you are comfortable with the provider processing it.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed, the agent may be able to use the configured API key to submit video-generation requests that could consume quota or incur costs.
The skill requires a DreamAPI/Newport API key, which is expected for the stated text-to-video integration but gives the skill access to a billed provider account.
"requires": {"env": ["DREAMTEXTTOVIDEO_API_KEY"]}, "primaryEnv": "DREAMTEXTTOVIDEO_API_KEY"Use a dedicated API key with spending limits if available, keep it out of prompts and logs, and revoke it if you stop using the skill.
Text prompts may be processed by the third-party video service, so sensitive or private descriptions could be exposed to that provider.
The skill discloses that prompts are sent to an external API endpoint for processing, which is purpose-aligned but means user-provided text leaves the local environment.
POST https://api.newportai.com/api/async/wan/text_to_video/2.1
Review the provider’s privacy and retention terms, and avoid sending confidential, regulated, or personal information in prompts unless appropriate.