Fliz AI Video Generator
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent with the API key can perform the supported Fliz actions, including creating, listing, translating, and duplicating videos.
The skill requires a Fliz bearer token/API key to act on the user's Fliz account.
All requests require Bearer token authentication ... Run with: `python scripts/<script>.py --api-key YOUR_KEY`
Store FLIZ_API_KEY securely, avoid putting it in logs or shared prompts, rotate it if exposed, and review account-changing actions before running scripts.
A user who executes the sample script as a whole may create test videos or trigger other Fliz operations they did not intend to run.
The example shell script contains account-mutating API calls at top level; running the whole file with a real API key can create videos and potentially consume Fliz credits.
echo "Creating video (minimal)..." ... curl -s -X POST "${BASE_URL}/api/rest/video"Run only the specific example commands you need, replace placeholders deliberately, and avoid executing the whole cURL example file blindly.
If deployed publicly as-is, other parties could view recent webhook metadata or send spoofed webhook payloads.
The sample webhook server listens on all interfaces and exposes recent webhook payloads through an unauthenticated history endpoint; the handler also does not verify webhook origin.
@app.route('/webhook/fliz/history', methods=['GET']) ... "webhooks": webhook_history[-20:] ... app.run(host='0.0.0.0', port=port, debug=debug)Before using the webhook handler beyond local testing, add authentication or signature verification, protect or remove the history endpoint, restrict network exposure, and limit accepted request sizes.