Flyworks Avatar Video
ReviewAudited by ClawScan on May 10, 2026.
Overview
This looks like a legitimate Flyworks video-generation helper, but it sends selected photos, audio, text, and voice samples to Flyworks and stores small local aliases.
Before installing, confirm you are comfortable sending selected photos, voice samples, audio, and script text to Flyworks/HiFly. Use only media you have permission to use, consider setting your own API token instead of the demo token, and periodically review or remove the local memory.json alias file.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Photos, voice samples, audio, and generated-video text may be processed by the external Flyworks/HiFly service.
The client uploads selected local media to Flyworks/HiFly infrastructure, which is central to avatar and voice generation but means photos, audio, and text can leave the user's device.
BASE_URL = "https://hfw-api.hifly.cc/api/v2/hifly" ... resp_put = requests.put(upload_url, data=f, headers=headers_put)
Only upload media you have rights and consent to use, avoid highly sensitive files, and review Flyworks/HiFly privacy and retention terms before using personal face or voice data.
If you set your own token, the agent can create Flyworks resources under that account; if you do not, requests use the shared limited demo token.
The helper authenticates API calls with either a user-supplied HIFLY_API_TOKEN or a disclosed default demo token; this is expected for the provider integration.
DEFAULT_TOKEN = "2aeda3bcefac46a3" ... token = os.environ.get("HIFLY_API_TOKEN") ... "Authorization": f"Bearer {get_token()}"Use a dedicated token for real work, keep it in the environment rather than prompts or files, revoke it if exposed, and avoid private workloads on the demo token.
Saved aliases may be reused in later sessions, and anyone with access to the skill directory may see or edit those avatar/voice ID mappings.
The skill persists local aliases for avatar and voice IDs so they can be reused later; this is scoped but creates persistent state.
MEMORY_FILE = Path(__file__).parent / "memory.json" ... json.dump(memory, f, indent=2)
Review or delete scripts/memory.json if you no longer want aliases stored, and do not store secrets or sensitive labels as aliases.
A future dependency resolution could install a different requests version than the author tested.
The Python dependency is not version-pinned, and the README instructs users to install dependencies before running the helper. This is common but can make installs less reproducible.
requests
Install in a virtual environment, verify the package source, and pin dependency versions if you need reproducible or high-assurance deployment.