ClawHub

Skill Runway Video Gen

v1.0.0

Generate short product videos from images using Runway Gen4 Turbo. Use for TikTok ads, UGC-style product demos, Reels, and YouTube Shorts.

0· 395·3 current·3 all-time
byZero2Ai@zero2ai-hub
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The script implements image→video via Runway Gen4 Turbo and the SKILL.md usage matches the code. However, registry metadata lists no required env vars or config paths while the script expects a RUNWAY_API_KEY or ~/tiktok-api.json → runway.apiKey. Declared binary 'uv' is reasonable for running the script.
!
Instruction Scope
SKILL.md instructs running the included Python script and documents the API key lookup (env var or ~/tiktok-api.json). The script reads an image, base64-encodes it, sends it to https://api.dev.runwayml.com, polls for results, and downloads the produced MP4 — behavior consistent with purpose. Concern: it reads a user home config file (~/tiktok-api.json) which was not declared in registry metadata and could contain other secrets; SKILL.md does document this file but the top-level skill metadata omitted it.
Install Mechanism
No install spec (instruction-only plus a script). The Python shebang declares dependencies (requests) but there is no automated install step to ensure them. This is low risk but operationally brittle; the skill does not download or execute code from unknown URLs.
!
Credentials
The script requires a Runway API key (RUNWAY_API_KEY) or a key in ~/tiktok-api.json, but the skill's registry metadata lists no required environment variables or config paths. That mismatch is a proportion/visibility problem. Also the code posts your image data to api.dev.runwayml.com (a 'dev' subdomain) rather than an obvious production API host — that increases the risk that data could be handled by non-production infrastructure.
Persistence & Privilege
The skill does not request persistent autonomy (always is false), does not alter other skills or system configuration, and writes only the requested output file. No elevated privileges requested.
What to consider before installing
Before installing or running this skill: 1) Verify and provide a dedicated RUNWAY_API_KEY (or a safe ~/tiktok-api.json entry) — do not reuse high-privilege or unrelated keys. The registry metadata does not declare this requirement even though the script needs it. 2) Confirm the API host: the script uses https://api.dev.runwayml.com (a dev/staging-looking endpoint). Confirm with Runway documentation or the skill author that this is intentional; otherwise you may be sending images to a non-production endpoint. 3) Review ~/tiktok-api.json contents if you plan to rely on it — it may contain other secrets; prefer an env var with a least-privilege key. 4) Ensure Python (>=3.10) and the 'requests' dependency are available; the skill has no install step. 5) Remember your images and generated video are uploaded to an external service — consider privacy and IP implications. If anything above is unclear or you cannot verify the Runway API host, treat this skill as untrusted until clarified.

Like a lobster shell, security has layers — review code before you run it.

latestvk972j51gvwweqk7mfsav37z2es8220s5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsuv

Comments