Youtube Factory
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may fetch changing versions of packages or tools from package managers.
The setup discloses external, unpinned packages even though the description claims no external modules. This is user-directed and purpose-aligned, but users should notice the dependency/provenance gap.
"Self-contained, no external modules" ... "pip install edge-tts pillow python-dotenv requests"
Install dependencies from trusted sources, consider pinning versions, and review the linked repository if using this in a sensitive environment.
The skill can use the configured Pexels account/API quota for stock video searches.
The code reads a Pexels API key and sends it as the Authorization header to the Pexels API, which is expected for fetching stock footage.
PEXELS_API_KEY = os.getenv("PEXELS_API_KEY", "") ... headers={"Authorization": PEXELS_API_KEY}Use a dedicated Pexels API key, avoid sharing it, and rotate it if you suspect exposure.
Video topics or script content may be shared with external services as part of normal operation.
The skill is designed to use external providers for voice generation and stock media retrieval, so topics or generated script text may be processed outside the local machine.
"Voiceover" - Free Microsoft Edge TTS ... "Stock Footage" - Auto-fetches relevant B-roll from Pexels
Do not use confidential or embargoed script content unless you are comfortable with the external provider handling.
Generation can consume local CPU/disk resources and may overwrite generated output files when ffmpeg is run with -y.
The skill runs local media tools such as ffmpeg, ffprobe, and edge-tts. This is central to the stated video-generation purpose and uses argument lists rather than shell strings.
subprocess.run(["ffmpeg", "-y", "-i", path, ...])
Run it in a normal user account, keep media tools updated, and review the output directory before regenerating the same project.