Crazyrouter Video Gen
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a straightforward Crazyrouter video-generation skill, but users should notice that it uses an API key and has minor metadata/configuration disclosure gaps.
Before installing, be comfortable sending your video prompts to Crazyrouter and using your CRAZYROUTER_API_KEY for generation. Verify that CRAZYROUTER_BASE_URL is not set to an untrusted endpoint, and choose the output file path carefully.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Crazyrouter API key and video prompt are sent to the provider and may incur account usage or charges.
The script uses a local API key as delegated account authority and sends it to the default Crazyrouter endpoint or to a configured base URL.
const API_BASE = process.env.CRAZYROUTER_BASE_URL || "https://crazyrouter.com/v1"; ... headers: { "Authorization": `Bearer ${apiKey}`Use a Crazyrouter key you trust, monitor provider usage, and do not set CRAZYROUTER_BASE_URL to an untrusted endpoint.
Install-time metadata may not warn you that an API key is needed.
The registry metadata under-declares the credential requirement that SKILL.md explicitly states: CRAZYROUTER_API_KEY.
Required env vars: none; Primary credential: none
Treat CRAZYROUTER_API_KEY as required before use; the publisher should declare it in metadata.
The selected output file can be created or overwritten with the downloaded video content.
The script downloads the video URL returned by the API and writes it to the user-provided output path, which is expected for this skill but still a file-writing capability.
const videoResponse = await fetch(url); ... await writeFile(args.output, buffer);
Choose an output path intentionally and avoid using sensitive or important existing file paths.