ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Generator | 视频生成器

Automated text-to-video pipeline with multi-provider TTS/ASR support - OpenAI, Azure, Aliyun, Tencent | 多厂商 TTS/ASR 支持的自动化文本转视频系统

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 583 · 15 current installs · 16 all-time installs
byJustin Liu@ZhenStaff
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name and description (text-to-video, multi-provider TTS/ASR) align with the runtime instructions (use OpenAI/Alibaba/Azure/Tencent keys, Remotion, ffmpeg, node). However the registry top-level metadata provided earlier claims no required env vars or binaries, while SKILL.md lists multiple required env vars and tools — that mismatch is an incoherence that should be resolved before trusting the package.
Instruction Scope
SKILL.md (and localized variants) provide concrete shell commands to clone, run, and install the project under ~/openclaw-video and to run scripts like generate-for-openclaw.sh and agents/video-cli.sh. These instructions legitimately require API keys and access to project files. Concerns: (1) the docs assert 'all code runs locally / no external servers (except OpenAI API)' — that is a claim about runtime behavior that cannot be verified by the instruction text alone (the npm package or repo code could contact other endpoints or run postinstall scripts); (2) the Chinese SKILL file includes an 'AUTO-TRIGGER' policy for agents to invoke the skill on keyword matches — this broad trigger logic can increase exposure if keys are present; (3) instructions recommend global npm installs (and sudo) and passing API keys on the command line as an option (command-line API key use can leak keys via process lists).
Install Mechanism
Installation is via the public npm package openclaw-video-generator (npm install -g). Using npm is expected for Node-based tools, but npm packages can run arbitrary postinstall scripts and network activity during install. The SKILL.md claims a 'verified repository' and shows a verified_commit in a comment, yet other places reference different commit hashes and versions (e.g., README lists v1.3.1; SKILL.md comment references 75df997; clone instructions reference ac3c568). These mismatches are an integrity/incoherence signal — verify the actual package contents and the repository/commit before installing. No direct download from unknown personal servers is used, which lowers installer risk compared to arbitrary archives, but npm still has moderate risk.
Credentials
The env vars requested in SKILL.md (OPENAI_API_KEY and optional provider keys for Aliyun/Azure/Tencent) are proportional and expected for a multi-provider TTS/ASR pipeline. However the registry summary at the top claimed 'Required env vars: none' while the skill instructions require keys — that discrepancy is concerning. Also note: the skill suggests passing API keys via command line (less safe); prefer project-level .env or process-environment variables and only provide the minimum provider credentials you intend to use.
Persistence & Privilege
The skill is not force-enabled (always: false) and uses normal autonomous invocation behavior. It instructs installing a global npm binary (possible use of sudo) which affects system-wide PATH and requires privilege to write to global locations — this is normal for CLI tools but increases the impact of malicious postinstall scripts. There is no instruction to modify other skills or system-wide agent configs beyond installing the package.
Scan Findings in Context
[static-scan-none] expected: No regex/static-scan findings — all files are instruction-only (SKILL.md, localized SKILLs, README). The scanner had no code files to analyze; absence of findings is not evidence of safety. You must inspect the npm package and GitHub repo code.
What to consider before installing
What to consider before installing and running this skill: - Resolve metadata inconsistencies: the registry summary says there are no required env vars/tools but SKILL.md clearly requires OPENAI_API_KEY and various tools. Ask the publisher (or inspect the package) to confirm exact requirements. - Inspect the code before installing the npm package: clone https://github.com/ZhenRobotics/openclaw-video-generator and check the repository content and the commit hash you will run. The SKILL files reference multiple different commit hashes/versions — confirm which one is actually published to npm. - Prefer local/project install over global npm -g: installing in a project directory (and using a .env) reduces system-wide impact and avoids sudo. Avoid passing API keys on the command line (process list leakage); use environment variables or a project .env file with restricted file permissions. - Audit package scripts: npm packages can execute postinstall scripts. Review package.json scripts (postinstall/install) and any network or telemetry code before running a global install. - Limit credentials: only provide the provider keys you intend to use. Do not paste multiple cloud provider keys unless necessary. Consider creating dedicated API keys with minimal permissions and rotate them after testing. - Validate network behavior: review network calls in runtime code (which services are contacted besides OpenAI). The SKILL claims 'local only except OpenAI' — verify this by reviewing code and runtime network logs. - If you are not able to audit the code, prefer to run the tool inside an isolated environment (container or VM) that limits access to sensitive files and credentials. If those checks pass (verified repository/commit, no suspicious postinstall scripts, minimal external endpoints), the skill's requested permissions are consistent with its stated function. If you cannot perform these checks, treat the package as higher risk and avoid adding sensitive credentials.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.26
Download zip
latestvk976pq3khk9r2m7nt6v7bscae18338xa

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

🎬 Video Generator Skill

Automated text-to-video generation system that transforms text scripts into professional short videos with AI-powered voiceover, precise timing, and cyber-wireframe visuals.

🔒 Security & Trust

This skill is safe and verified:

  • ✅ All code runs locally on your machine
  • No external servers (except OpenAI API for TTS/Whisper)
  • ✅ Source code is open source and auditable
  • ✅ Uses official npm package (openclaw-video-generator)
  • Verified repository: github.com/ZhenRobotics/openclaw-video-generator
  • No data collection - all processing is local

Required API Access:

  • OpenAI API key (for TTS and Whisper) - you maintain control

📦 Installation

Prerequisites Check

Before installation, verify you have:

# Check Node.js (requires >= 18)
node --version

# Check npm
npm --version

# Check ffmpeg (required for video processing)
ffmpeg -version

If missing, install:

# Ubuntu/Debian
sudo apt install nodejs npm ffmpeg

# macOS
brew install node ffmpeg

Installation Methods

Both methods are fully supported. Choose based on your needs:

Featurenpm Global InstallGit Clone Local Install
Difficulty⭐ Simple (one command)⭐⭐ Requires clone + npm install
Updatesnpm update -ggit pull && npm install
Use CaseEnd users, quick startDevelopers, code customization
API KeysSystem environment variablesProject .env file (recommended)
Disk UsageSmall (single global copy)Each project has its own copy
Recommended ForTerminal users, AI agentsDevelopers, teams

Method 1: npm Package (Quick Start)

Pros: Simple installation, global access, easy updates ⚠️ Note: Requires system-level environment variable configuration

# Install from verified npm registry
npm install -g openclaw-video-generator

# Configure API Key (choose one):
# Option A: Environment variable (recommended)
export OPENAI_API_KEY="sk-..."
# Add to ~/.bashrc (Linux) or ~/.zshrc (macOS)

# Option B: Pass via command line
openclaw-video-generator generate "your text" --api-key "sk-..."

# Verify installation
openclaw-video --version

Method 2: From Source (Developer Recommended)

Pros: Can modify code, project-local .env, easier debugging ⚠️ Note: Requires git clone and manual dependency installation

# Clone from verified repository
git clone https://github.com/ZhenRobotics/openclaw-video-generator.git ~/openclaw-video-generator

# Verify commit (security check)
cd ~/openclaw-video-generator
git rev-parse HEAD  # Should match verified commit: ac3c568

# Install dependencies
npm install

# Configure .env file (project-level, more secure)
cp .env.example .env
nano .env  # Add your API keys here

# Build (if needed)
npm run build

macOS Users - Special Notes:

If you encounter permission issues with npm global install:

# Solution A: Use sudo (simple but requires password)
sudo npm install -g openclaw-video-generator

# Solution B: Configure npm to user directory (recommended, permanent fix)
mkdir -p ~/.npm-global
npm config set prefix '~/.npm-global'
echo 'export PATH=~/.npm-global/bin:$PATH' >> ~/.zshrc
source ~/.zshrc
npm install -g openclaw-video-generator

For macOS users, we recommend Method 2 (Git Clone) because:

  • ✅ Clearer paths, no global install permissions needed
  • ✅ Easier .env file management
  • ✅ Better for debugging
  • ✅ Avoids zsh/bash environment variable confusion

💬 Need Help with Deployment? Contact our official maintenance partner: 专注人工智能的黄纪恩学长(闲鱼 Xianyu)for technical support and troubleshooting.

API Key Configuration

IMPORTANT: Store API key securely in .env file (never hardcode in scripts)

cd ~/openclaw-video-generator
cat > .env << 'EOF'
# OpenAI API Configuration
OPENAI_API_KEY="sk-your-key-here"
OPENAI_API_BASE="https://api.openai.com/v1"
EOF

# Secure the file
chmod 600 .env

Verify Installation

cd ~/openclaw-video-generator
./scripts/test-providers.sh

Expected output:

✅ TTS: 1 provider(s) configured (openai)
✅ ASR: 1 provider(s) configured (openai)

🚀 Usage

When to Use This Skill

AUTO-TRIGGER when user mentions:

  • Keywords: video, generate video, create video, 生成视频
  • Provides a text script for video conversion
  • Wants text-to-video conversion

EXAMPLES:

  • "Generate video: AI makes development easier"
  • "Create a video about AI tools"
  • "Make a short video with this script..."

DO NOT USE for:

  • Video editing or clipping
  • Video playback or format conversion only

🎯 Core Features

  • 🎤 Multi-Provider TTS - OpenAI, Azure, Aliyun, Tencent (auto-fallback)
  • ⏱️ Timestamp Extraction - Precise speech-to-text segmentation
  • 🎬 Scene Detection - 6 intelligent scene types
  • 🎨 Video Rendering - Remotion with cyber-wireframe style
  • 🖼️ Background Videos - Custom backgrounds with opacity control
  • 🔒 Secure - Local processing, no data sent to third parties

💻 Agent Usage Guide

CRITICAL SECURITY NOTES

  1. Project Location: Use existing install at ~/openclaw-video-generator/
  2. Never: Clone new repos without user confirmation
  3. Always: Verify .env file exists before running commands
  4. Check: Tools availability (node, npm, ffmpeg) before execution

Primary Command: Generate Video

Standard Generation:

cd ~/openclaw-video-generator && \
./scripts/script-to-video.sh <script-file> \
  --voice nova \
  --speed 1.15

With Background Video:

cd ~/openclaw-video-generator && \
./scripts/script-to-video.sh <script-file> \
  --voice nova \
  --speed 1.15 \
  --bg-video "backgrounds/tech/video.mp4" \
  --bg-opacity 0.6 \
  --bg-overlay "rgba(10,10,15,0.4)"

Example Flow:

User: "Generate video: AI makes development easier"

Agent:

  1. Check if project exists: ls ~/openclaw-video-generator
  2. Create script file: 
    cat > ~/openclaw-video-generator/scripts/user-script.txt << 'EOF'
AI makes development easier
EOF
  3. Execute: 
    cd ~/openclaw-video-generator && \
./scripts/script-to-video.sh scripts/user-script.txt
  4. Show output: ~/openclaw-video-generator/out/user-script.mp4

Provider Configuration

Multi-Provider Support (v1.2.0+):

The system supports automatic fallback across providers:

  • OpenAI (default)
  • Azure (enterprise)
  • Aliyun (China)
  • Tencent (China)

Configure in .env:

# Provider priority (tries left to right)
TTS_PROVIDERS="openai,azure,aliyun,tencent"
ASR_PROVIDERS="openai,azure,aliyun,tencent"

Check configuration:

cd ~/openclaw-video-generator && ./scripts/test-providers.sh

⚙️ Configuration Options

TTS Voices

OpenAI:

  • nova - Warm, energetic (recommended for short videos)
  • alloy - Neutral
  • echo - Clear, male
  • shimmer - Soft, female

Azure (if configured):

  • zh-CN-XiaoxiaoNeural - Female, general
  • zh-CN-YunxiNeural - Male, warm
  • zh-CN-XiaoyiNeural - Female, sweet

Speech Speed

  • Range: 0.25 - 4.0
  • Recommended: 1.15 (fast-paced)
  • Default: 1.0

Background Video Options (v1.2.0+)

  • --bg-video <path> - Background video file
  • --bg-opacity <0-1> - Opacity (0=invisible, 1=fully visible)
  • --bg-overlay <rgba> - Overlay color for text clarity

Recommended Settings:

Content TypeOpacityOverlay
Text-focused0.3-0.4rgba(10,10,15,0.6)
Balanced0.5-0.6rgba(10,10,15,0.4)
Background-focused0.7-1.0rgba(10,10,15,0.25)

📊 Video Specifications

  • Resolution: 1080 x 1920 (vertical, optimized for shorts)
  • Frame Rate: 30 fps
  • Format: MP4 (H.264 + AAC)
  • Style: Cyber-wireframe with neon colors
  • Duration: Auto-calculated from script length

🎨 Scene Types (Auto-Detected)

TypeVisual EffectTrigger
titleGlitch + spring scaleFirst segment
emphasisPop-up zoomContains numbers/percentages
painShake + red warningProblems, pain points
contentSmooth fade-inRegular content
circleRotating ringListed points
endSlide-up fade-outLast segment

💰 Cost Estimation

Per 15-second video: ~$0.003 (< 1 cent):

  • OpenAI TTS: ~$0.001
  • OpenAI Whisper: ~$0.0015
  • Remotion rendering: Free (local)

🔧 Troubleshooting

Issue 1: Project Not Found

# Check installation
ls ~/openclaw-video-generator

# If missing, install via npm (safe)
npm install -g openclaw-video-generator

# Or clone from verified source
git clone https://github.com/ZhenRobotics/openclaw-video-generator.git ~/openclaw-video-generator
cd ~/openclaw-video-generator && npm install

Issue 2: API Key Error

Error: Missing OPENAI_API_KEY or model_not_found

Solution:

  1. Verify .env file exists: 
    cat ~/openclaw-video-generator/.env
  2. If missing, create it: 
    cd ~/openclaw-video-generator
echo 'OPENAI_API_KEY="sk-your-key-here"' > .env
chmod 600 .env
  3. Ensure API key has TTS + Whisper access
  4. Verify account has sufficient balance (min $5)

Issue 3: Provider Failures

Error: "All providers failed"

Solution:

# Check provider configuration
cd ~/openclaw-video-generator && ./scripts/test-providers.sh

# Configure additional providers
cat >> .env << 'EOF'
# Azure (optional fallback)
AZURE_SPEECH_KEY="your-azure-key"
AZURE_SPEECH_REGION="eastasia"
EOF

Issue 4: Network/Geographic Restrictions

Error: SSL_connect: 连接被对方重置

Solution: Configure alternative providers (Azure, Aliyun, Tencent) in .env

See: MULTI_PROVIDER_SETUP.md for detailed configuration

📚 Documentation

🎯 Agent Behavior Guidelines

DO:

  • ✅ Verify project exists before executing commands
  • ✅ Check .env configuration before API calls
  • ✅ Use existing project directory (~/openclaw-video-generator/)
  • ✅ Provide clear progress feedback
  • ✅ Show output file location after completion
  • ✅ Handle errors gracefully with actionable solutions

DON'T:

  • ❌ Clone repositories without user confirmation
  • ❌ Create new Remotion projects (use existing)
  • ❌ Hardcode API keys in commands
  • ❌ Ignore security warnings
  • ❌ Run untrusted scripts

📊 Tech Stack

  • Remotion: React-based video framework
  • OpenAI: TTS + Whisper APIs
  • Azure/Aliyun/Tencent: Alternative providers
  • TypeScript: Type-safe development
  • Node.js: Runtime (v18+)
  • FFmpeg: Video processing

🆕 Version History

v1.2.0 (2026-03-07) - Current

  • ✨ Background video support
  • 🌐 Multi-provider architecture (OpenAI, Azure, Aliyun, Tencent)
  • 🔄 Automatic provider fallback
  • 🔒 Enhanced security (proper .env handling)

v1.1.0 (2026-03-05)

  • ✨ Custom color support
  • 📦 npm package published
  • 🔐 Removed hardcoded API keys

v1.0.0 (2026-03-03)

  • ✨ Initial release

🔒 Security & Privacy

Data Processing:

  • ✅ All video rendering is local
  • ✅ Audio processing is local
  • ⚠️ TTS/ASR uses OpenAI API (text/audio sent to OpenAI)

API Key Safety:

  • ✅ Stored in .env file (not in code)
  • ✅ File permissions: 600 (owner read/write only)
  • ✅ Never committed to git (.gitignore)

Verification:

Project Status: ✅ Production Ready & Verified

License: MIT

Author: @ZhenStaff

Support: https://github.com/ZhenRobotics/openclaw-video-generator/issues

ClawHub: https://clawhub.ai/ZhenStaff/video-generator

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…