AI UGC Video Pipeline
v1.2.0End-to-end AI UGC video pipeline. Product info → GPT-4o-mini script → ElevenLabs voiceover → Aurora talking head (fal-ai/creatify/aurora) → Kling 2.6 Pro pro...
⭐ 0· 278·2 current·2 all-time
byZero2Ai@zero2ai-hub
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The described purpose (GPT → ElevenLabs → fal.ai Aurora/Kling → Whisper → ffmpeg) legitimately requires FAL_KEY, ELEVENLABS_API_KEY, OPENAI_API_KEY and binaries like node and ffmpeg; the SKILL.md lists those. However the registry metadata at the top of the submission indicates no required env vars or binaries — a direct inconsistency between what the skill claims to need and what the package declares. The stated purpose itself aligns with the APIs named, but the metadata/manifest mismatch is suspicious.
Instruction Scope
The runtime instructions tell the agent to run npm install and multiple node scripts (generate.js, broll.js, transcribe_captions.js) and a Python overlay.py, and to call external APIs (fal.ai, ElevenLabs, OpenAI). Those calls are expected for this pipeline. Crucially, the skill bundle contains only SKILL.md and no code files or scripts referenced by the instructions — so the instructions cannot be executed as-is from this package. The doc also references a binary named 'uv' (unclear meaning) and a cross-skill dependency (skill-tiktok-ads-video) which are not further explained.
Install Mechanism
There is no install spec in the registry (instruction-only), which normally lowers risk. But SKILL.md instructs running npm install and node scripts as if code were included. Because no code or install artifacts are present in the package, the instructions either assume an external repository or are incomplete/misleading. That mismatch (no install vs. instructions that require package installation) is a red flag.
Credentials
The environment variables required by SKILL.md (FAL_KEY, ELEVENLABS_API_KEY, OPENAI_API_KEY) are proportional to the stated integrations and are reasonable for this task. The concern is that the registry metadata declares no required env vars or primary credential while the SKILL.md explicitly requires three API keys. This disparity means automated permission checks or prompts could be incorrect; users might unknowingly provide keys to an unknown/unsigned skill.
Persistence & Privilege
The skill is not set always:true and does not request system config paths or other skills' credentials. It is user-invocable and allows model invocation (platform defaults). No evidence it requests persistent presence or modifies other skills.
What to consider before installing
Do not install or supply API keys to this skill as-is. The SKILL.md expects npm/node scripts and a Python overlay but the package contains only the README — that is a coherence failure. Before proceeding, ask the publisher for the source repository or a packaged release that includes the referenced scripts and a verified install spec. If you must test it: (1) run in an isolated sandbox or VM, (2) use ephemeral or least-privilege API keys (scoped service accounts and low quotas), (3) inspect all scripts for unexpected network calls or filesystem access, and (4) confirm the meaning of the 'uv' binary and any cross-skill dependencies. If the author can't provide code or a trustworthy source URL/homepage, treat the skill as incomplete and avoid handing over real credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk971pgh111hkzgnrv1ky7rvnzd82cx88
License
MIT-0
Free to use, modify, and redistribute. No attribution required.