vargai
v2.0.3Generate AI videos, images, speech, and music using varg. Use when creating videos, animations, talking characters, slideshows, product showcases, social con...
⭐ 0· 145·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (AI video/image/speech/music via varg) align with requested artifacts: primary env var is VARG_API_KEY, anyBins lists curl or bun, and docs describe cloud (curl+API) or local (bun+ffmpeg) modes. Optional provider keys (Fal, ElevenLabs, etc.) are documented for BYOK billing and make sense for a gateway client.
Instruction Scope
SKILL.md primarily instructs how to submit TSX code to the render API, how to run local CLI (bunx vargai), and how to set up a .env with VARG_API_KEY. It references additional optional provider env vars and suggests running included setup scripts (scripts/setup.sh or bun scripts/setup.ts). The instructions do not request access to unrelated system credentials or paths, but they do encourage creating/editing a local .env and executing bundled scripts — inspect those scripts before running.
Install Mechanism
There is no formal install spec (instruction-only), which is lower risk. However two setup scripts are included (scripts/setup.sh, scripts/setup.ts) and the docs instruct running them; running bundled scripts executes code from the skill package locally. There are no external download URLs in the manifest, but you should review the scripts' contents before executing.
Credentials
The skill declares a single required credential (VARG_API_KEY) which is proportional to gateway usage. The docs additionally describe optional BYOK provider keys (FAL_KEY, ELEVENLABS_API_KEY, REPLICATE_API_TOKEN, OpenAI/Google keys for certain render-only flows). Those are optional but sensitive — only provide provider keys if you intend BYOK billing. The SKILL.md uses provider keys in request headers (header mode) and documents that header keys are not stored; saved BYOK is also mentioned (stored encrypted), which is a platform behavior to be aware of.
Persistence & Privilege
always:false and normal model invocation are used. The skill does not request system-wide persistent privileges. It may write a .env or create local cache directories per the local-render workflow (normal for CLI tools). It does not claim to modify other skills or global agent settings.
Assessment
This skill appears to do what it says: it uses a VARG_API_KEY to call varg.ai and supports optional local rendering with bun+ffmpeg. Before installing or running anything: 1) Inspect scripts/setup.sh and scripts/setup.ts (they are included) so you know what they modify or send; never run scripts you haven't reviewed. 2) Only supply VARG_API_KEY unless you intentionally want BYOK billing — optional provider keys (FAL_KEY, ELEVENLABS_API_KEY, OPENAI/GOOGLE keys) are sensitive and, when provided as headers, will be forwarded for single requests (the docs say header BYOK isn't stored). 3) Use preview modes (--preview or cloud preview) when iterating to avoid unexpected charges. 4) For local work, run in an isolated/dev environment if you are unsure (bun and ffmpeg required). 5) If you need higher assurance, paste the setup scripts here or inspect them manually and verify they don't exfiltrate data or fetch arbitrary code from unknown hosts.scripts/setup.ts:25
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.Like a lobster shell, security has layers — review code before you run it.
latestvk97bt2t9t6vcy5f2dmvk3pp33s83gqpj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Any bincurl, bun
EnvVARG_API_KEY
Primary envVARG_API_KEY