Ai Video Pipeline
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill mostly matches its video-making purpose, but its fixed temporary caches can accidentally reuse old audio, subtitles, or clips in a later video.
Use this only if you are comfortable sending script text/prompts to the named AI providers and spending their API quota. Before each new video, use a fresh work directory or clear /tmp/video-poc so old narration, subtitles, and clips cannot be reused accidentally.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A new video could accidentally contain narration or subtitles from an earlier run, potentially exposing previous content or producing the wrong output.
The TTS cache is accepted based only on existing voice/subtitle files; it does not verify that the cached audio/subtitles match the current script or selected voice.
if skip_if_exists and os.path.exists(output_audio) and os.path.exists(subs_json_path): ... return cached_subs
Key caches by a hash of the script, voice, and settings; use a unique per-job/per-user work directory; or clear the work directory before each new video.
A later video may silently reuse visuals from a prior job and then be sent as if it were newly generated.
Generated video clips are skipped based on predictable filenames, not on the current prompt or job metadata, so stale clips can cascade into a new MP4.
clip_path = os.path.join(work_dir, f"clip_{idx+1}{suffix}.mp4") ... if os.path.exists(clip_path): ... "已存在,跳过"Store prompt/frame metadata beside each clip and validate it before reuse, or generate each job in a fresh isolated directory.
The job can consume CPU, disk, network bandwidth, time, and paid API quota after you approve production.
The skill explicitly asks the agent to run a local Python video-generation pipeline after user confirmation; this is expected for the purpose but is still local command/tool execution.
确认后,agent 调用 `build_video.py` 一键生成 ... agent 在制作期间的职责:执行 `build_video.py` 命令(后台运行)
Review the plan and estimated cost before confirming, and stop/clear the job if you change topics or start a new video.
Those keys may allow paid provider actions if configured with broad account permissions.
The skill uses provider credentials for TTS, video generation, and BGM generation; this is purpose-aligned, but the registry metadata does not declare a primary credential or required env vars.
`VOLC_APP_ID`, `VOLC_ACCESS_KEY`, `VOLC_APP_KEY`, `VOLC_ACCESS_KEY_ID`, `VOLC_SECRET_KEY`, `MINIMAX_API_KEY`
Use least-privilege provider keys where possible, monitor usage/costs, and declare required credentials in the skill metadata.
Private or sensitive script text may be processed by Volc/Bytedance, Jimeng, or MiniMax services.
User scripts and paragraph prompts are sent to external provider APIs as part of the intended video-generation workflow.
`TTS`:播客API 生成语音 ... `即梦AI视频片段`:每个段落自动生成一个动画片段 ... 用段落原文作 prompt
Do not include confidential material unless you are comfortable with those providers processing it; document provider data handling expectations.
Setup may fail unexpectedly or request undeclared keys/tools at runtime.
The registry/install metadata under-declares the environment needed by the supplied scripts, even though the behavior is disclosed in SKILL.md and source code.
Required env vars: none ... Primary credential: none ... Required binaries ... none ... No install spec
Declare required provider env vars, system binaries, and Python dependencies in the skill metadata or install documentation.