Security audit
HeyGen Video Agent
Security checks across malware telemetry and agentic risk
Overview
This plugin is internally coherent: it implements a HeyGen video-generation provider, requires the HeyGen API key, and its code and docs match that purpose; only minor metadata/packaging notes were found.
This plugin appears to be what it claims: a HeyGen video-provider for OpenClaw that only needs your HeyGen API key. Before installing: (1) confirm the HEYGEN_API_KEY requirement (SKILL.md and openclaw.plugin.json declare it; update your gateway credentials or use the CLI onboarding as documented), (2) be aware that if the gateway builds the plugin it may run npm install and pull transitive dependencies from the lockfile — review/verify the build process and origin of any packages you don't recognize, (3) webhook callback_url is caller-specified — ensure your webhook endpoints validate incoming requests and do not leak sensitive data, (4) rotate the API key if you later uninstall the plugin or suspect misuse, and (5) resolve the small metadata inconsistency (registry metadata showing no required env vs SKILL.md/openclaw.plugin.json requiring HEYGEN_API_KEY) so the install UX clearly informs users of the credential requirement.
VirusTotal
No VirusTotal findings
Static analysis
No suspicious patterns detected.
