ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Generator CLI

v5.0.0

Guide for running the Video Generator CLI commands.

0· 44·0 current·0 all-time
byPremkmar M@itspremkumar
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
SKILL.md requires node, npm, ffmpeg, python and a PEXELS_API_KEY which all make sense for a video generator that downloads stock footage and assembles + transcodes video. However the registry-level requirements reported above list no required binaries and no required env vars. That mismatch (manifest vs SKILL.md) is incoherent and should be resolved — a consumer cannot tell which requirements are authoritative.
Instruction Scope
The instructions stay within the scope of running a local CLI: wiping a .video-cache.json, cleaning public/ folders, reading input/input-scripts.json, downloading stock footage, rendering segments, and stitching with ffmpeg. One ambiguity: SKILL.md says it 'generates voiceovers' and names AI voice IDs but does not declare what TTS service or credentials (if any) are used. That could require additional secrets or network calls not declared in the file.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That is low-risk from an install/extraction perspective — nothing is downloaded or written by a packaged installer described here.
!
Credentials
SKILL.md lists PEXELS_API_KEY as a required env var which is proportionate for downloading stock footage. But the registry metadata reported earlier lists no required env vars. The mismatch is concerning because it hides a declared credential requirement from the registry-level summary. Also the voice synthesis step mentions AI voice IDs but no TTS credentials are declared; additional credentials may be required but are not specified.
Persistence & Privilege
The skill is not always-enabled, is user-invocable, and has no install script that writes persistent configuration. It does not request elevated persistence or system-wide configuration changes.
What to consider before installing
Before using this skill: (1) Confirm which manifest is authoritative — the registry summary or the SKILL.md — because SKILL.md requires node/npm/ffmpeg/python and PEXELS_API_KEY while the registry metadata shows none. (2) Inspect the project's package.json and the actual CLI scripts (npm scripts) referenced (generate, resume, segment, dev) in a trusted code review environment before running them; the SKILL.md explains behaviors such as wiping .video-cache.json and clearing public/videos and public/audio, so back up any important files beforehand. (3) Ask or inspect where 'voiceover generation' is performed — it may call an external TTS service and require additional credentials you should not supply blindly. (4) Limit the PEXELS_API_KEY scope (use a dedicated key) and verify network endpoints used by the tool. (5) Because this skill is instruction-only (no bundled code), prefer installing and reviewing the actual project source from a trustworthy repository prior to execution. If you cannot resolve the manifest mismatch or determine the TTS behavior, treat this skill with caution and avoid running destructive commands (generate/build) until you can audit the code.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ez2k6m09c7qzcaag4nca32584dqhx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments