Security audit
OpenClaw ShortDrama Plugin
Security checks across malware telemetry and agentic risk
Overview
The plugin's code, scripts, and runtime instructions are coherent with its stated purpose (a local OpenClaw short-drama workflow using BytePlus/ARK); the required API key and local tooling are proportional, but there are a couple of small inconsistencies to verify before running.
This package appears to do what it says: a local short-drama workflow that calls BytePlus/ARK for LLM, image, and video generation. Before installing, check these points: 1) Confirm you are comfortable providing a BytePlus API key (use a limited-scope key if possible) and store it only in the plugin-local .env; 2) Inspect .env.example to see what variables will be loaded and avoid putting other host secrets into the plugin .env; 3) Note the TypeScript tool outputs a manual command with a placeholder SOURCE_CHECKOUT path — when running from a real checkout you may need to run the wrapper from the plugin root (./scripts/run_shortdrama.sh) or update the command to the correct path; 4) The Python code makes HTTP calls and uploads image data (as data URLs) to BytePlus for video generation — verify the ARK_BASE_URL value if you have region-specific endpoints; 5) Run bootstrap_env.sh and the smoke test in a controlled environment first to confirm behavior. If you want higher assurance, review the plugin-local .env contents and run the smoke test on an isolated machine before adding the plugin to a production host.
VirusTotal
No VirusTotal findings
Static analysis
No suspicious patterns detected.
