Wjs Overlaying Video
PendingVirusTotal audit pending.
Overview
No VirusTotal analysis has been recorded yet. File reputation checks will appear here once the artifact hash has been scanned.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your rendered MP4 could include a promotional end card for 王建硕 even if you intended different branding.
This tells the agent/template to force a specific channel CTA in the generated video instead of confirming or adapting the CTA to the user's intended channel or guest.
Place at the end of every clip; **always use 王建硕 as the channel name** (per global instructions — never a guest's name).
Edit or remove the CTA template before rendering, and require explicit user confirmation for any end-card branding.
Generating AI covers may use your existing Codex account/session.
Optional AI cover generation uses a local authenticated Codex profile. This is disclosed and purpose-aligned, but the registry metadata does not declare credentials.
**Codex auth required**: the script calls codex CLI via `gpt-image-2-skill`. If `~/.codex/auth.json` is missing, the script errors.
Only use cover generation if you trust the referenced gpt-image/Codex tooling and are comfortable using that local account.
Running the reference script may download or execute external Node tooling in your project.
The template invokes npx to initialize HyperFrames, which may execute npm-distributed tooling. This is central to the stated purpose but is not represented in the install requirements.
subprocess.run(["npx", "hyperframes", "init"], cwd=proj, check=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
Review and pin the HyperFrames package/version where possible, and run the script only in a disposable or backed-up project directory.
Custom overlay snippets can run JavaScript while the video project is rendered.
The scaffolder supports custom overlays that inline user-supplied HTML/CSS/GSAP into the rendered composition. This is an intended escape hatch, but untrusted fragments could execute script in the render context.
custom inner HTML/CSS/GSAP supplied by the user in a fragment file
Use only trusted custom overlay fragments, and avoid fragments that make network calls or access unexpected browser APIs.