Video Prompt Generator
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears to do what it claims, but it uses your NanoPhoto API key and sends prompt inputs to NanoPhoto’s service.
This skill looks coherent for generating video prompts. Before installing, make sure you trust NanoPhoto with the topics and public image URLs you provide, understand that generations may consume account credits, and keep the API key in the secure skill environment rather than chat or command-line arguments.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using this skill can spend NanoPhoto credits or make requests under the configured NanoPhoto account.
The script uses a NanoPhoto API key from a command argument, environment variable, or the skill's OpenClaw config entry. This is disclosed and necessary for the API, but it is still account-level credential use.
return explicit_api_key or os.environ.get(ENV_KEY_NAME) or load_api_key_from_openclaw_config()
Store the API key only in the platform's secure environment setting, avoid passing it on the command line, and revoke or rotate the key if you stop using the skill.
Prompt topics and any public image URLs you provide are shared with NanoPhoto, and the API reference says each generation costs credits.
The bundled script sends the user-provided topic, parameters, and optional image URLs to NanoPhoto's prompt-generation endpoint. This is the core purpose of the skill and is clearly disclosed.
API_URL = "https://nanophoto.ai/api/sora-2/generate-prompt"
Do not include sensitive private information in topics, and only use public image URLs you are authorized and comfortable sending to NanoPhoto.