PentoVideo - AI Video Factory
PassAudited by ClawScan on May 13, 2026.
Overview
This appears to be a coherent video-production skill, but users should review the external install, cloud media-processing, and optional publishing/account steps before using them.
Before installing or running production commands, verify the GitHub repository and dependencies. Avoid sending confidential scripts, images, PPTs, or audio to external providers unless approved. Confirm explicitly before any publish, GitHub, or AWS-profile command is run.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running dependency installation from an external repo can execute third-party package scripts on the user's machine.
The setup instructions ask the user to clone and install dependencies from an external repository; this is expected for a video-rendering framework but should be verified before running install scripts.
git clone https://github.com/zhbcher/pentovideo.git # Install dependencies pnpm install
Review the repository, package files, and lockfile first; prefer pinning a trusted commit and running setup in a sandboxed project environment.
User prompts, scripts, images, PPT contents, audio, or generated media may be sent to external tools or services during production.
The skill discloses use of external or provider-style services for image generation, text-to-speech, OCR, and transcription/captioning, which may process user media or scripts.
Includes pre-flight gate, prompt expansion, SenseNova image gen, OCR QA, Edge TTS, Whisper captions
Do not use sensitive or confidential materials with external AI/TTS/OCR/transcription services unless the provider and data-handling terms are acceptable.
If invoked, the agent could act through the user's GitHub or AWS-authenticated environment to publish previews, upload images, push branches, or open pull requests.
The optional catalog-contribution workflow may use local AWS and GitHub credentials and push/publish content, which is coherent for contributing but requires explicit user approval.
run `scripts/upload-docs-images.sh` (requires AWS profile `engineering-767398024897`) ... run `gh auth login` ... `git push origin feat/registry-{name}`Only run contribution/publishing steps after confirming the target account, repository, branch, and files; use least-privileged profiles where possible.
Project prompts and design context may persist on disk after the video task finishes.
The workflow stores an expanded prompt file in project-local state, which is useful for production continuity but may contain user intent, brand details, or script information.
输出到 `.pentovideo/expanded-prompt.md`
Treat .pentovideo files as project data; avoid including secrets and delete or protect them if they contain sensitive information.