Fliz AI Video Generator
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: fliz-ai-video-generator Version: 1.0.0 The skill bundle provides a legitimate integration for the Fliz AI video generation API. All code (Python, Node.js, Shell scripts) and documentation (`SKILL.md`, `README.md`, `references/*.md`) consistently direct network requests to `https://app.fliz.ai` for video creation and management. API keys are handled securely via environment variables or command-line arguments, and local file operations are limited to reading input or writing output/log files, which is aligned with the stated purpose. There is no evidence of data exfiltration, malicious execution, persistence, obfuscation, or prompt injection attempts against the agent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent with the API key can perform the supported Fliz actions, including creating, listing, translating, and duplicating videos.
The skill requires a Fliz bearer token/API key to act on the user's Fliz account.
All requests require Bearer token authentication ... Run with: `python scripts/<script>.py --api-key YOUR_KEY`
Store FLIZ_API_KEY securely, avoid putting it in logs or shared prompts, rotate it if exposed, and review account-changing actions before running scripts.
A user who executes the sample script as a whole may create test videos or trigger other Fliz operations they did not intend to run.
The example shell script contains account-mutating API calls at top level; running the whole file with a real API key can create videos and potentially consume Fliz credits.
echo "Creating video (minimal)..." ... curl -s -X POST "${BASE_URL}/api/rest/video"Run only the specific example commands you need, replace placeholders deliberately, and avoid executing the whole cURL example file blindly.
If deployed publicly as-is, other parties could view recent webhook metadata or send spoofed webhook payloads.
The sample webhook server listens on all interfaces and exposes recent webhook payloads through an unauthenticated history endpoint; the handler also does not verify webhook origin.
@app.route('/webhook/fliz/history', methods=['GET']) ... "webhooks": webhook_history[-20:] ... app.run(host='0.0.0.0', port=port, debug=debug)Before using the webhook handler beyond local testing, add authentication or signature verification, protect or remove the history endpoint, restrict network exposure, and limit accepted request sizes.