Remotion + Excalidraw + TTS
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The video-generation workflow is coherent, but its optional cloud TTS mode can expose API keys in command logs.
Install only if you are comfortable running local Remotion/npm tooling. Use the default local macOS say backend for private content. If you use OpenAI or ElevenLabs TTS, modify the script to avoid printing API keys first, or treat those keys as exposed and rotate them afterward.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your API key could appear in terminal output, agent transcripts, logs, or local process listings, allowing others with access to those logs to use the key.
The helper prints every command before execution, including curl headers that contain OpenAI or ElevenLabs API keys when those optional TTS backends are used.
print(f"+ {' '.join(cmd)}", flush=True) ... f"Authorization: Bearer {api_key}" ... f"xi-api-key: {api_key}"Prefer the local macOS say backend or a pre-generated MP3 unless the script is changed to redact secrets and pass credentials without printing them. Rotate any API key that may already have been logged.
The contents of the voiceover script are shared with OpenAI or ElevenLabs if you choose those backends.
When cloud TTS is selected, the script reads the user-provided voiceover text and sends it to the selected provider API to synthesize audio.
text = voiceover_text.read_text(encoding="utf-8") ... "https://api.openai.com/v1/audio/speech" ... "https://api.elevenlabs.io/v1/text-to-speech/{voice_id}"Use the default local say backend for private scripts, or review the provider’s data handling terms before using cloud TTS.
Running the skill will download and execute third-party Node tooling needed for rendering.
The renderer installs and runs Node/Remotion dependencies at execution time. This is central to the stated video-rendering purpose, but it relies on external npm packages.
the script will run `npm i` in the temp project ... renders MP4 with `npx remotion render`
Run it in a normal user account, keep npm/Node dependencies updated, and avoid using it in highly sensitive directories or environments.