AI Video
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its video-generation purpose, but review it because a helper can attach your skills.video API key to full URLs instead of being clearly limited to the provider host.
Install only if you are comfortable giving this skill a skills.video API key and submitting prompts to that service. Use the default open.skills.video endpoints, do not let untrusted specs or instructions change the endpoint/base URL, prefer a secret store over ~/.zshrc for the key, and monitor credit usage.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent or user supplies the wrong full URL, the skills.video API key could be sent to a non-provider server, allowing account abuse or credit consumption.
The helper is designed to accept full endpoint URLs and the SSE request attaches SKILLS_VIDEO_API_KEY as a bearer token; the provided artifact text does not show host allowlisting before adding the credential.
parser.add_argument("--sse-endpoint", required=True, help="SSE create endpoint path or full URL") ... if endpoint.startswith("http://") or endpoint.startswith("https://"): return endpoint ... "Authorization": f"Bearer {api_key}"Use only open.skills.video endpoints, avoid endpoint/base-url overrides from untrusted sources, and add host validation so the API key is sent only to the intended provider over HTTPS.
A requested generation can spend credits and keep running until the configured timeout or terminal status.
The skill is intended to create remote generation jobs and wait on them, which is purpose-aligned but gives the agent authority to make provider API calls.
Execute `POST /generation/sse/...` as default and keep the stream open. ... If SSE does not reach terminal completion, poll `GET /generation/{id}`Invoke it only for prompts you intend to submit, keep timeouts bounded, and monitor credits or billing on the provider account.
Prompts and any payload fields you provide are sent to the external video-generation service.
Generation payloads are posted to the external skills.video API, which is expected for this skill but privacy-relevant.
parser.add_argument("--base-url", default="https://open.skills.video/api/v1") ... data=json.dumps(payload).encode("utf-8")Do not include sensitive private content unless you are comfortable sharing it with the provider under its terms and privacy policy.
A persisted key may be visible to anyone or anything that can read your shell configuration file.
The missing-key helper suggests an optional setup command that stores the API key persistently in a shell profile.
"echo 'export SKILLS_VIDEO_API_KEY=\"<YOUR_API_KEY>\"' >> ~/.zshrc && source ~/.zshrc"
Prefer OpenClaw's skill environment or a secret manager, and ensure local shell profile files have appropriate permissions if you use them.