Automated Video Generator
Security checks across malware telemetry and agentic risk
Overview
The video generator is mostly purpose-aligned, but it ships actual-looking API keys and exposes sensitive environment and command-running capabilities that need review before use.
Use caution before installing. The project purpose is coherent for a self-hosted video generator, but remove any bundled .env secrets, supply your own provider keys, confirm MCP env values are masked, and verify that command-running tools cannot execute arbitrary shell commands.
VirusTotal
VirusTotal engine telemetry is currently stale for this artifact.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could trigger local commands that modify generated files, run renders, or otherwise affect the project environment.
The MCP pipeline command path executes a variable command through the shell. Running pipeline commands is purpose-aligned, but this is high-impact unless a strict whitelist and user approval are enforced.
const child: ChildProcess = exec(cmd, { cwd: resolveProjectPath() }, (error, stdout, stderr) => {Verify that only a small fixed set of safe pipeline commands can be run, avoid arbitrary shell strings, and require explicit user confirmation for cleanup, generation, or deletion actions.
The app may use leaked or shared provider credentials, and those keys could be abused or rate-limited by anyone who receives the artifact.
The packaged artifact contains actual-looking provider API credentials even though the registry declares no credentials or required environment variables.
PEXELS_API_KEY=O23...; GEMINI_API_KEY=AIza...
Remove real secrets from the skill package, rotate the exposed keys, ship only .env.example placeholders, and declare required/optional credentials in metadata.
Installing or running the package executes local application code and dependencies on the user's machine.
The skill asks users to run an npm-hosted package, and the same document also promotes downloading a Windows .exe installer. This is expected for this kind of app, but users must trust the package and release source.
claude mcp add automated-video-generator -- npx automated-video-generator
Install from the official repository/package only, prefer pinned versions where possible, and verify release provenance before running the Windows installer.
An attached agent may be able to read or alter provider configuration that includes API keys or service settings.
The MCP interface exposes environment viewing and editing. Because this project stores API keys in .env, these tools are sensitive unless values are masked and changes are explicitly approved.
"read_env_config", "description": "View environment settings." ... "update_env_config", "description": "Change environment settings."
Mask secret values in MCP responses, require explicit user approval before updating env configuration, and avoid exposing full .env contents to agent context.