autoshorts
AdvisoryAudited by Static analysis on May 9, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user approves the wrong clip or metadata, content could be posted to connected social accounts.
The skill can cause public or scheduled social posting through Upload-Post, which is high-impact tool use, but the artifact explicitly describes a human approval gate.
you approve, Upload-Post publishes. One video per run, human-gated before posting.
Review the rendered clip, caption, platforms, schedule, and account profile before approving any publish IDs.
These credentials can authorize video analysis and social publishing through the configured services.
The skill requires API keys for Gemini and Upload-Post, including access to a profile linked to social media accounts.
env: [UPLOAD_POST_API_KEY, UPLOAD_POST_PROFILE, GEMINI_API_KEY]
Use least-privilege API keys where possible, keep the .env file private, and revoke/rotate keys if the machine or skill directory is exposed.
Candidate videos and approval choices may pass through Telegram, WhatsApp, or another configured channel outside the local machine.
The workflow relies on an external harness/messaging bridge to send candidate clip files and receive approval replies.
openclaw delivers that table plus the clip files via the user's chosen channel; the user replies on their phone
Only use trusted messaging bridges and avoid processing videos that should not be shared through that channel.
Historical metrics and learned preferences can shape future outputs and may retain information about prior posts.
The skill persists analytics and learnings that influence future Gemini prompts and clip selection.
Engagement data flows back from Upload-Post analytics into the Gemini prompt that selects tomorrow's clips.
Periodically review or delete the learnings/history files if you do not want past performance data reused.
A scheduler could keep processing new videos every day, using compute and preparing posts until disabled.
The skill is designed for recurring autonomous invocation, although the artifacts describe one-video-per-run processing and approval before posting.
This skill is meant to run as a daily infinite loop. Every run picks ONE video and walks it through the pipeline.
Configure the daily scheduler intentionally and disable it when you do not want the pipeline to run.
Installation may fail or prompt unexpectedly if the registry metadata is trusted instead of the skill documentation.
The registry metadata under-declares requirements that are clearly documented inside SKILL.md, so automated installers may not preflight the needed credentials and binaries.
metadata: "Required env vars: none"; SKILL.md: "env: [UPLOAD_POST_API_KEY, UPLOAD_POST_PROFILE, GEMINI_API_KEY]"
Follow SKILL.md/README.md setup requirements and verify the source, dependencies, and environment variables before use.