Video Agent (Deprecated)
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is a disclosed legacy HeyGen video-generation skill; it is not suspicious, but it uses your HeyGen API key and can create, upload, list, or delete HeyGen account media.
Prefer the current create-video or avatar-video skills if they fit your task. If you install this deprecated legacy skill, provide HEYGEN_API_KEY only when you are comfortable letting the agent operate your HeyGen account, and explicitly review video generation, uploads, and deletions because they may consume credits or affect stored account media.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could use your HeyGen account to create videos, list account videos, or delete a video when following a relevant request.
The skill exposes a broad HeyGen tool namespace and documents account-affecting actions, including generation, listing, and deletion, plus direct API fallback. This matches the video-management purpose but should be user-controlled.
allowed-tools: mcp__heygen__* ... List account videos ... Delete a video ... If no HeyGen MCP tools are available, use direct HTTP API calls with X-Api-Key
Use the newer scoped skills where possible, and explicitly confirm uploads, generation jobs, and deletions before the agent performs them.
Anyone using this skill with your environment can make HeyGen API requests under your account permissions.
The skill requires a HeyGen API key, which is expected for this provider integration but grants access to the user’s HeyGen account.
requires: env: - HEYGEN_API_KEY ... primaryEnv: HEYGEN_API_KEY
Use a dedicated or least-privileged HeyGen API key if available, keep it out of shared logs, monitor usage, and rotate it if exposed.
Images, videos, audio, or portrait photos selected for a project may be sent to HeyGen and stored as account assets.
The references show local media files being read and uploaded to HeyGen’s provider endpoint. This is expected for custom backgrounds, audio, and photo avatars, but it crosses a data boundary.
POST https://upload.heygen.com/v1/asset ... The request body is the raw binary file data ... const fileBuffer = fs.readFileSync(resolvedPath);
Review file paths and media contents before upload, avoid sending confidential files unintentionally, and check HeyGen retention/privacy settings for uploaded assets.