Back to plugin

Security audit

HeyGen Video Agent

Security checks across malware telemetry and agentic risk

Overview

This plugin is internally coherent: it implements a HeyGen video-generation provider, requires the HeyGen API key, and its code and docs match that purpose; only minor metadata/packaging notes were found.

This plugin appears to be what it claims: a HeyGen video-provider for OpenClaw that only needs your HeyGen API key. Before installing: (1) confirm the HEYGEN_API_KEY requirement (SKILL.md and openclaw.plugin.json declare it; update your gateway credentials or use the CLI onboarding as documented), (2) be aware that if the gateway builds the plugin it may run npm install and pull transitive dependencies from the lockfile — review/verify the build process and origin of any packages you don't recognize, (3) webhook callback_url is caller-specified — ensure your webhook endpoints validate incoming requests and do not leak sensitive data, (4) rotate the API key if you later uninstall the plugin or suspect misuse, and (5) resolve the small metadata inconsistency (registry metadata showing no required env vs SKILL.md/openclaw.plugin.json requiring HEYGEN_API_KEY) so the install UX clearly informs users of the credential requirement.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.