Hyperframes Video Studio
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user confirms installation, npm will fetch and install the current package and its dependencies, which carries normal third-party package supply-chain risk.
The helper installs the Hyperframes npm package into the local .cache/npm prefix, but the package version is not pinned or locked.
command = ["npm", "install", "--prefix", str(NPM_PREFIX), "hyperframes"]
Confirm installation only if you trust the package source; prefer a pinned version or lockfile for reproducible installs when possible.
If you point the skill at a broad or sensitive folder, excerpts and file metadata may be saved locally in the skill cache and later used as context for video generation.
The asset manifest stores absolute paths, hashes, and extracted text excerpts from user-selected files or folders.
"path": str(resolved),
"sha256": _hash_file(resolved),
"text_excerpt": text,Select only the files or folders needed for the video, review generated manifests if the source material is sensitive, and clear .cache when finished.
Narration text could be processed by an external TTS service if Edge-TTS is used.
The documentation discloses that the Edge-TTS fallback is network-backed, meaning narration text may be sent outside the local machine.
Piper is local and open-source. Edge-TTS is zero-cost and keyless, but network-backed.
Use local Piper TTS for private or confidential narration, or avoid putting sensitive information in text sent to Edge-TTS.