Comic Drama Generate
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent instruction-only comic/video production workflow, with disclosed dependencies on external generation skills, provider credentials, public asset URLs, and local media editing.
Safe to consider installing if you trust the named prerequisite skills and the NanoPhoto-backed workflow. Before use, review the three dependencies, configure API keys only through secure environment settings, confirm expected costs or quota, use only non-sensitive public asset URLs, and keep generated project files in a dedicated folder.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the prerequisites may add additional capabilities, code, credentials, or provider access not shown in this skill's own files.
The skill depends on installing three named prerequisite skills via latest-version install commands. This is disclosed and central to the purpose, but users should review those dependencies because they are outside this instruction-only artifact.
npx clawhub@latest install video-prompt-generator npx clawhub@latest install nano-banana-pro npx clawhub@latest install sora-2-generate
Review the prerequisite skills before installation and prefer pinned or trusted versions where the platform supports it.
Local commands may run to generate or edit media files, and fallback scripts may use the provider API key.
The workflow allows fallback direct script execution and also uses local ffmpeg editing. This is disclosed and purpose-aligned, but it means the user should expect local command execution if the workflow cannot use normal sub-skill execution.
If using direct script execution via `exec`, preserve the same env contract first by ensuring `NANOPHOTO_API_KEY` is available in the shell; only fall back to `--api-key` when needed.
Prefer the normal prerequisite-skill execution path, approve local command execution when prompted, and keep outputs inside a dedicated project directory.
Using the workflow may spend provider credits and authorize the prerequisite skills to call NanoPhoto-backed services.
The skill itself does not request its own credential, but its required sub-skills may use a NanoPhoto API key and account quota. The artifact discloses this and gives secure handling guidance.
Prerequisite skills may require: - `NANOPHOTO_API_KEY` — required for NanoPhoto-backed prerequisite skills such as `video-prompt-generator`, `nano-banana-pro`, and `sora-2-generate` Do not paste API keys into chat.
Configure the API key only through secure environment-variable settings, avoid pasting keys into chat, and confirm expected quota or cost before large batches.
Images or generated assets used in the pipeline may be accessible through URLs and sent to external generation services.
The workflow intentionally passes generated assets between API-driven services using public URLs. This is expected for the stated pipeline, and the artifacts also warn against using private or sensitive images.
Use **public URLs** when passing assets between API-driven steps. Apply this rule to: - turnaround generation output → keyframe generation input - keyframe generation output → video generation input
Only use images and asset URLs you are comfortable exposing to the relevant services, and avoid private, sensitive, or confidential media.