Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Reelsmith
v0.2.0Create short-form vertical video packages, preview reels, narrated reels, and AI-video workflows from ideas, articles, updates, or source material. Use when...
⭐ 0· 43·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md and included scripts implement reel preview, TTS, muxing, and an optional LTX text-to-video backend which is coherent with the 'Reelsmith' purpose. However the registry metadata claims no required env vars or binaries, while the code requires OPENAI_API_KEY (OpenAI TTS), optionally LTX_API_KEY (ltx_text_to_video.py), and the ffmpeg binary. Declaring none of those in metadata is inconsistent and disproportionate.
Instruction Scope
Runtime instructions stay within the stated domain: generating scripts, previews, and optional TTS/video backend calls. They instruct writing scene text files, calling local Python scripts, invoking ffmpeg, and contacting external APIs (OpenAI and api.ltx.video). The SKILL.md explicitly mentions OPENAI_API_KEY but does not clearly document LTX_API_KEY or the requirement for ffmpeg and Python dependencies; that omission widens the agent's effective scope unexpectedly.
Install Mechanism
There is no install spec (instruction-only), which is low risk by itself, but the repository includes runnable Python scripts that depend on external binaries (ffmpeg), the OpenAI Python client, and the requests package. No dependency or installation instructions are declared in the registry metadata, increasing the chance a user will run code that fails or runs in an unexpected environment. The ltx_text_to_video script issues network requests to api.ltx.video (a third-party endpoint) — acceptable for functionality but worth verifying trustworthiness.
Credentials
Registry metadata declared no required environment variables but the SKILL.md and code require at least OPENAI_API_KEY for TTS; the LTX helper requires LTX_API_KEY at runtime and will exit if absent. These are high-sensitivity secrets (API keys). The absence of these from metadata is an incoherence and a potential security risk because users might be asked to provide credentials without clear justification in the registry listing.
Persistence & Privilege
always is false and the skill does not request persistent/always-on privileges or modify other skills or system-wide settings. Autonomous invocation is allowed by default (normal) and there are no signs the skill attempts to change agent configuration.
What to consider before installing
This skill's code and SKILL.md implement what 'Reelsmith' claims to do, but the package metadata omits important runtime requirements. Before installing or running it: 1) Request corrected metadata that explicitly lists required env vars (OPENAI_API_KEY and, if you plan to use the LTX backend, LTX_API_KEY), required binaries (ffmpeg) and Python dependencies (openai, requests). 2) Verify you trust the external endpoint https://api.ltx.video and confirm its privacy/usage terms before supplying an LTX API key. 3) Run the scripts in a controlled environment (sandbox/container) so ffmpeg and subprocess calls can't access unexpected host files. 4) Only provide API keys you intend to use for this capability (consider scoped keys or separate service accounts). If the publisher cannot or will not clarify the missing declarations, treat the package as untrusted until those inconsistencies are resolved.Like a lobster shell, security has layers — review code before you run it.
latestvk97f97zkf8yn9f7bfscgndbees844b22
License
MIT-0
Free to use, modify, and redistribute. No attribution required.