Shortvideo
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a purpose-built ShortVideo integration, but it requires an API key and sends selected images/videos to ShortVideo where generation may consume credits.
Before installing, make sure you trust the publisher and API endpoint, keep the ShortVideo API key protected, and only upload media you are comfortable sending to ShortVideo. Review credit costs and commands before running large or expensive generation jobs.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked, the agent may upload selected media and start paid video-generation jobs.
The skill is designed to run local Python scripts that upload inputs, create ShortVideo tasks, and poll status. This matches the stated purpose, but it performs network actions and can consume account credits.
The skill will automatically: ... Upload any local files or URLs ... Create the video generation task ... Poll for results
Review the generated command, selected files, and credit cost before running expensive jobs; ask the agent to show the command first if unsure.
Anyone with access to the configured key may be able to use the ShortVideo account or consume credits.
The skill requires a ShortVideo API key, giving delegated access to the user's ShortVideo account. This is expected for the integration, though the registry metadata lists no primary credential.
ShortVideo requires API credentials... "SHORTVIDEO_BASE_URL": "https://api.shortvideo.ai", "SHORTVIDEO_API_KEY": "your-api-key-here"
Store the API key only in trusted config files, rotate it if exposed, and verify the endpoint is the intended ShortVideo API.
Private product images, model images, videos, and prompts may be sent to ShortVideo for processing.
The script uploads local media to the configured ShortVideo/OSS endpoint using the user's API key. This is central to video generation, but it means selected media leaves the local machine.
url = f"{base_url}/api/oss/upload" ... headers = {"Authorization": f"Bearer {api_key}"} ... response = requests.post(url, files=files, data=data, headers=headers, timeout=60)Only provide media you are comfortable uploading to the provider, prefer trusted HTTPS URLs, and avoid private or internal-network URLs.
Users have less external context for verifying the publisher or update history.
The registry does not provide a source repository or homepage, reducing provenance context. The visible artifacts are coherent and the static scan is clean, so this is a provenance note rather than a concern.
Source: unknown; Homepage: none
Install only if you trust the publisher, and review the included scripts before adding credentials.