v1.5.2

Medeo Video

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:21 AM.

Analysis

This skill appears purpose-aligned for AI video generation and delivery, but it handles API keys, uploads user media to external services, and can use chat-platform credentials.

GuidanceBefore installing, make sure you are comfortable giving the assistant access to a Medeo API key and, if used, chat-platform delivery credentials. Do not submit sensitive media or prompts unless you are willing to send them to Medeo for generation.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Rogue Agents

SeverityLowConfidenceHighStatusNote

README.md

Generation runs in the background — your assistant will send you the video when it's ready.

The skill intentionally starts long-running asynchronous video generation jobs and later delivers results.

User impactA video-generation job may continue after the initial chat response and send a result later.

RecommendationUse this skill for requests where delayed background processing is acceptable, and check job history or status if needed.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

scripts/medeo_video.py

Resolution priority: 1. Environment variable MEDEO_API_KEY ... 2. Skill-local config file (~/.openclaw/workspace/medeo-video/config.json)

The skill uses a Medeo API key from the environment or a local config file to call the Medeo service.

User impactThe assistant may store and use a Medeo API key to create videos on the user's Medeo account.

RecommendationUse a Medeo key you are comfortable delegating to the assistant, and revoke or rotate it if you no longer use the skill.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

scripts/feishu_send_video.py

config_path = os.path.expanduser("~/.openclaw/openclaw.json") ... app_id = main_acct.get("appId", "") ... app_secret = main_acct.get("appSecret", "")

The Feishu helper reads local OpenClaw Feishu app credentials to obtain a tenant token for sending generated videos.

User impactIf Feishu delivery is used, the skill can act through the configured Feishu app to upload and send video messages to users or chats.

RecommendationConfirm the Feishu app's permissions and recipients are appropriate before using Feishu delivery.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

docs/assets-upload.md

API flow: `prepare_for_upload` → S3 presigned PUT → `create_from_upload` → poll job → media_id

User-provided media can be uploaded through Medeo/S3-backed upload flows as part of video generation.

User impactImages, videos, URLs, and prompts provided for generation may be sent to Medeo and related storage endpoints.

RecommendationAvoid submitting private or sensitive media unless you are comfortable sharing it with the Medeo video-generation service.