Gen Video

ReviewAudited by ClawScan on May 1, 2026.

Overview

This is a coherent skills.video API helper, but it uses an account API key and can submit video-generation jobs that may consume credits.

Install only if you trust the skills.video publisher and intend to give the skill an API key. Keep generation endpoints on the documented open.skills.video service, review payloads before creating paid content, and avoid storing the key in plaintext shell files unless that is your chosen credential-management approach.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI03: Identity and Privilege Abuse

What this means

The skill can make authenticated requests against your skills.video account and may consume credits when it creates generation jobs.

Why it was flagged

The helper reads the configured skills.video API key and uses it as bearer authentication for generation requests; this is expected for the service, but it grants account-level API authority.

Skill content

api_key = os.environ.get("SKILLS_VIDEO_API_KEY", "").strip() ... "Authorization": f"Bearer {api_key}"

Recommendation

Use a dedicated API key if possible, store it only in the intended OpenClaw or shell environment, monitor credit usage, and rotate the key if it is exposed.

Low

#ASI02: Tool Misuse and Exploitation

What this means

If an untrusted full URL or base URL were used, the helper could send an authenticated request to an unintended service.

Why it was flagged

The script supports a full URL endpoint while also attaching the bearer API key, so endpoint choice should remain trusted and scoped to the intended skills.video API.

Skill content

parser.add_argument("--sse-endpoint", required=True, help="SSE create endpoint path or full URL") ... "Authorization": f"Bearer {api_key}"

Recommendation

Prefer the documented open.skills.video paths and defaults; do not pass full URLs or OpenAPI-derived endpoints from untrusted sources.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Users have less registry-level provenance assurance before trusting the skill with an API key.

Why it was flagged

The registry source is not identified, even though the skill provides visible files and references a homepage/repository.

Skill content

Source: unknown

Recommendation

Verify the publisher, homepage, and referenced repository before installing or configuring credentials.