OpenClaw AI Video Editor
PassAudited by ClawScan on May 17, 2026.
Overview
This is a disclosed API-backed video editing skill that uses a Levea/OpenClaw API key to edit and export videos, with no artifact evidence of hidden exfiltration or malicious behavior.
Install only if you intend to use the Levea/OpenClaw video-editing API. Configure the API key and URL carefully, approve plans before mutating important projects, preview every export before publishing, and avoid reusing workingMemory across unrelated videos.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved, the agent can change a video project and export results; mistakes could require reverting or re-editing.
The skill can perform mutating video edits, but the artifact explicitly requires confirmation before non-read operations.
Before executing any mutating edit on user content (anything beyond `read_*` / `query_*`), describe the planned edit and request explicit confirmation from the user.
Preview outputs before sharing and use `requirePlanApproval: true` for important, destructive, or hard-to-reverse edits.
The configured API key may grant access to the user's video-editing account or projects on the provider service.
The skill uses a provider API key from the environment to authenticate network requests, which is expected for this API-backed editor.
'Authorization': `Bearer ${process.env.ADSCENE_API_KEY}`Use a least-privilege API key if available, store it securely, and ensure `ADSCENE_API_URL` points only to the intended provider endpoint.
Installing the skill makes its packaged code available to run when the tool is invoked.
The skill is not only instructions; it includes executable runtime JavaScript packaged as an OpenClaw runtime extension.
"runtimeExtensions": [
"dist/index.js"
]Install from the expected package/source and review updates, especially because the registry summary under-declares the runtime and environment requirements.
Reusing the wrong workingMemory could resume an old or unintended edit plan.
The workflow can carry planning state across calls, which is useful for approvals but can also carry stale or untrusted context.
`workingMemory` — durable working-memory snapshot. Re-send to resume after `awaiting_approval`
Only reuse workingMemory from the same trusted project/session, and start fresh when switching videos or workflows.
A user who configures the wrong provider URL could send video data or an API key to an unintended endpoint.
The documentation references provider domains and account/key setup; users should verify these domains before entering credentials.
Use `https://api.livecore.ai` for `ADSCENE_API_URL`; Studio is only for signup, login, and key management.
Confirm the official provider domains independently before creating keys or setting `ADSCENE_API_URL`.