Hyperframes Video Studio
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: hyperframes-video-studio Version: 1.1.3 The hyperframes-video-studio skill bundle is a well-structured and safety-conscious implementation for generating video projects. It includes a mandatory pre-flight system audit (system_audit.py) to check disk, RAM, and CPU thresholds, and enforces local-only dependency management (install_hyperframes.py) to avoid global system changes. The SKILL.md instructions explicitly address security by directing the AI agent to treat all ingested assets as data rather than instructions, effectively mitigating prompt-injection risks. No evidence of data exfiltration, unauthorized network calls, or malicious code execution was found across the Python scripts or template configurations.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user confirms installation, npm will fetch and install the current package and its dependencies, which carries normal third-party package supply-chain risk.
The helper installs the Hyperframes npm package into the local .cache/npm prefix, but the package version is not pinned or locked.
command = ["npm", "install", "--prefix", str(NPM_PREFIX), "hyperframes"]
Confirm installation only if you trust the package source; prefer a pinned version or lockfile for reproducible installs when possible.
If you point the skill at a broad or sensitive folder, excerpts and file metadata may be saved locally in the skill cache and later used as context for video generation.
The asset manifest stores absolute paths, hashes, and extracted text excerpts from user-selected files or folders.
"path": str(resolved),
"sha256": _hash_file(resolved),
"text_excerpt": text,Select only the files or folders needed for the video, review generated manifests if the source material is sensitive, and clear .cache when finished.
Narration text could be processed by an external TTS service if Edge-TTS is used.
The documentation discloses that the Edge-TTS fallback is network-backed, meaning narration text may be sent outside the local machine.
Piper is local and open-source. Edge-TTS is zero-cost and keyless, but network-backed.
Use local Piper TTS for private or confidential narration, or avoid putting sensitive information in text sent to Edge-TTS.