Video Production
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches a video-production workflow, but it includes persistent cron automation and loosely bounded file-output behavior that users should review before running.
Before installing, confirm you are comfortable providing media-generation API keys and running ffmpeg locally. Avoid enabling the cron quota watcher until you review the omitted watcher script, limit retries, verify the notification recipient, and know how to remove the cron entry. Use only trusted storyboards or add path validation so generated clips cannot be written outside the intended project folder.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled, the skill could keep running after the immediate task, make further provider calls, write logs, and send notifications without the user actively watching each run.
The skill documents a persistent background cron job that keeps retrying after quota exhaustion and sends a text notification to an ambiguous recipient, without showing cleanup or retry limits.
Sets a cron that retries every 30 min, texts Master when done ... echo "*/30 * * * * /path/to/quota_watcher.sh >> /tmp/quota_watcher.log 2>&1") | crontab -
Do not add the cron job unless you review the quota watcher script, confirm notifications go only to you, add retry/expiry limits, and document a removal command.
A malformed or untrusted storyboard could cause generated media to be written outside the intended project folder or overwrite files the user can write.
The storyboard controls output directory and scene IDs used for file writes, with no visible rejection of absolute paths or '..' traversal.
output_dir = project_dir / sb.get("output_dir", "clips") ... clip_path = output_dir / f"{scene['id']}.mp4" ... output_path.write_bytes(video_bytes)Restrict outputs to a project directory, reject absolute paths and path traversal, sanitize scene IDs, and prompt before overwriting existing files.
Using the skill can spend API quota or incur provider costs under the user's accounts.
The skill expects user-owned Google and OpenAI provider credentials for media generation. This is purpose-aligned, but it grants account quota/billing access.
export GOOGLE_API_KEY="AIza..." ... export OPENAI_API_KEY="sk-..."
Use restricted API keys where possible, monitor billing/quota, and avoid storing long-lived keys in broadly accessible shell profiles.
The script will run local media tools on user-supplied media paths and may open the final file automatically.
The assembler executes local ffmpeg/ffprobe commands and auto-opens the output file. This is expected for video assembly, but it is still local command execution.
result = subprocess.run(cmd, capture_output=True, text=True) ... sp.run(["open", str(output_path)], check=False)
Run it only on trusted project files, ensure ffmpeg is installed from a trusted source, and consider disabling auto-open in unattended workflows.
Future package changes or dependency confusion could affect behavior if the setup is run later.
The documented setup installs packages from the package ecosystem without version pins in the main quick setup. This is user-directed and purpose-aligned, but it leaves dependency versions open.
uv venv .venv uv pip install google-genai Pillow requests
Pin dependency versions, use a lockfile, and install from trusted package sources.
Project prompts, character descriptions, reference assets, or logs could be retained and reused if this spec is implemented.
The included orchestrator spec describes persistent learning, logging, and a character registry. The reviewed code shown does not implement broad indexing, but the intended persistence should be bounded.
8. LEARNING UPDATE (weights, phrase bank, reference set) 9. LOGGING (append-only JSONL) ## Character Registry - Persistent JSON
Keep persistent logs and registries project-scoped, document where they are stored, and provide retention and deletion controls.