free-kameo
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its video-generation purpose, but it embeds a real-looking API key and includes unsafe credential/code-handling scripts that users should review before running.
Do not use the embedded API key or the registration helper as-is. If you install this skill, provide your own Kameo and optional Google API keys, avoid sensitive portraits unless you are comfortable uploading them, and fix the prompt-enhancement script so user input is passed safely rather than inserted into Python code.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed filename/dialogue could cause the agent to run unintended local Python commands during prompt enhancement.
Shell arguments are expanded directly into Python source inside a here-doc instead of being passed safely as argv/environment data; crafted quotes or newlines in the image path or dialogue can change the Python code that runs.
with open("$IMAGE_PATH", 'rb') as f: ... enhanced = text.replace("[DIALOGUE]", "$DIALOGUE")Pass image path and dialogue to Python via sys.argv, environment variables, or JSON with proper escaping, and validate that the image path is an intended local file.
Users may unknowingly use a shared or exposed account key, tying their uploads and generated videos to someone else’s Kameo account or consuming that account’s credits.
The documentation contains a real-looking Kameo API key rather than a placeholder, despite credentials being absent from the registry metadata.
export KAMEO_API_KEY="kam_I3rdx43..."
Remove and rotate the exposed key, replace it with a placeholder such as kam_..., and require users to provide their own declared Kameo API key.
A user’s email/password can be exposed in shell history or process listings and may be sent to an unintended or nonfunctional endpoint if the helper is run as provided.
The recommended registration helper accepts a user password on the command line and posts it to a placeholder Supabase auth endpoint rather than a clearly declared Kameo-owned login flow.
SUPABASE_URL="https://YOUR_PROJECT.supabase.co" ... EMAIL="$1" ... PASSWORD="$2" ... /auth/v1/signup
Remove the helper or replace it with an official, documented Kameo OAuth/API-key flow that does not take passwords as command-line arguments.
Private or sensitive photos uploaded for generation leave the local machine and are processed by Kameo.
The script sends a user-selected local image to the Kameo API, which is necessary for the stated video-generation purpose.
"image_base64": "$(base64 -w0 "$IMAGE_PATH" ...)", ... curl -s -X POST "$API_BASE/generate"
Only use images you are comfortable uploading to Kameo, and document this data flow clearly in metadata/capability declarations.
Using the enhanced workflow shares the image with an additional provider, which may matter for portraits, faces, or private media.
The enhanced workflow sends the selected image to Google Gemini for vision analysis before sending the prompt to Kameo; this is disclosed in the docs but not declared in registry credentials/capabilities.
api_key = os.environ.get('GOOGLE_API_KEY') ... generativelanguage.googleapis.com ... "data": img_b64Declare the Google/Gemini dependency and credential, and let users choose the non-enhanced workflow if they do not want the image sent to Google.
Users may not realize before installation that local scripts, external APIs, and credentials are needed.
The registry metadata under-declares provenance, runtime tools, and credentials compared with the included scripts and documentation.
Source: unknown; Homepage: none; Required binaries: none; Required env vars: none; No install spec
Update metadata to declare required tools, Kameo and Google credentials, homepage/source provenance, and the external network data flows.