Video Generator CLI
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is an instruction-only video-generation command guide; it is mostly coherent, but users should notice that some commands delete local generated media and require undeclared tools/API credentials.
This skill appears benign as a command guide. Before installing or using it, make sure you are in the correct video-generator project, review the local npm scripts because they were not included here, and be aware that fresh generation deletes existing generated cache/video/audio files.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the fresh generation command could delete prior generated video/audio assets in the project folders.
The skill documents commands that perform local file deletion as part of a fresh video generation workflow. This is purpose-aligned and disclosed, but should be run only in the intended project directory.
`npm run generate` ... `Wipes the .video-cache.json file` ... `Cleans the public/videos and public/audio folders.`
Confirm the working directory and back up any wanted generated media before using `npm run generate` or `npm run build`.
The user may need to provide a Pexels API key even though the registry metadata does not advertise that requirement.
The skill declares a Pexels API key in its own frontmatter, which is expected for stock footage download, but the registry requirement summary says no environment variables are required.
metadata:\n requires:\n bins:\n - node\n - npm\n - ffmpeg\n - python\n env:\n - PEXELS_API_KEY
Use a scoped Pexels API key if possible and avoid sharing it outside the intended project environment.
The safety of the actual video generator depends on the local project’s package scripts, which were not included in this review.
The reviewed artifact does not include the npm package scripts that the guide tells users how to run, so the actual implementation of those commands is outside the submitted scan context.
No install spec — this is an instruction-only skill. No code files present — this is an instruction-only skill.
Before running the npm commands, inspect the local `package.json` scripts and project source or use a trusted repository.