ClawHub

HeyGen AI Avatar Video (Lite)

v1.1.1

Create AI digital human videos with HeyGen API. Free starter guide.

4· 3.2k·12 current·12 all-time
byJu Chun Ko@daaab
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill's stated purpose (create HeyGen avatar videos) matches the curl examples in SKILL.md; however the manifest declares no required environment variables or binaries while the runtime instructions clearly expect HEYGEN_API_KEY and use jq/curl. This is an incoherence between claimed requirements and actual usage.
!
Instruction Scope
SKILL.md instructs the agent to run curl requests against HeyGen endpoints and to read an environment variable HEYGEN_API_KEY (not declared). It also uses jq in examples (jq is not listed as a required binary). The README points users at uploading training videos (implying file upload) and includes affiliate/purchase links and a paid 'premium' offering hosted off-site. The instructions otherwise only send data to HeyGen endpoints, but the undeclared use of sensitive env vars and external payment/hosting links are concerning.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so it does not write or execute downloaded code on disk. That lowers install-related risk.
!
Credentials
Although the manifest lists no required env vars, the SKILL.md examples require HEYGEN_API_KEY (sensitive). The skill also references jq (a local binary). Sensitive credentials are being used but not declared as the primary credential; this omission is disproportionate and should be corrected before trusting the skill.
Persistence & Privilege
The skill does not request 'always: true' nor any system configuration paths. It appears user-invokable only and does not request persistent system privileges.
What to consider before installing
This skill appears to be a simple how-to for HeyGen, but the SKILL.md expects an HEYGEN_API_KEY and uses jq/curl even though the manifest lists no required credentials or binaries. Before installing or using it: (1) do not paste your primary HeyGen API key into an unknown skill — treat it as sensitive; consider creating a throwaway/test API key or account for trial. (2) Confirm whether the skill will actually access any keys (the manifest should declare HEYGEN_API_KEY as a required credential). (3) Note the affiliate and external-paid links — the premium scripts are sold off-site; review those sources before sending payment or credentials. (4) If you proceed, restrict the API key's permissions and monitor HeyGen account activity. If you want, ask the author to update the manifest to declare HEYGEN_API_KEY and list required binaries (curl, jq) so the skill's manifest and runtime instructions align.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d8y0ab69n06m5rbhnx56had82ejy1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments