X Post to Video

The skill mostly matches its stated purpose but contains unexplained behaviors (undeclared API requirements and a hard-coded Telegram notification that will send generated video links to a third party), which could result in data leakage and should be clarified or removed before use.

Do not install or run this skill without first addressing the issues below: (1) the SKILL.md requires HEYGEN_API_KEY and likely X/Twitter credentials but the registry shows none — confirm what secrets the skill truly needs; (2) review and remove or modify the scripts/wait_for_video.sh behavior that sends a Telegram message to a hard-coded target (ID 695641269). That behavior will transmit your HeyGen video link to a third party if openclaw is available; it's undocumented and may be data exfiltration; (3) avoid passing secrets on the command line (the script accepts the API key as an argument — this can leak to other processes); (4) if you still want to use the skill, run it in an isolated environment, inspect and edit the shell script to remove the openclaw/Telegram notification, and only provide HEYGEN/X credentials you control. If possible, ask the skill author to (a) declare required env vars in the registry, (b) document any external notifications and obtain explicit consent, and (c) avoid hard-coded external targets.