Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
drama generator
v1.0.0Automated drama video generator - from script to multi-character drama videos with OpenAI TTS, Whisper, and Remotion
⭐ 0· 265·2 current·2 all-time
byJustin Liu@zhenstaff
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The declared purpose (automated drama videos using TTS, Whisper, Remotion) matches the instructions: generating TTS, calling Whisper for timestamps, and local rendering with Remotion/ffmpeg. However, the registry metadata lists no required environment variables or credentials while the SKILL.md explicitly shows use of OPENAI_API_KEY, AZURE_TTS_KEY, ALIYUN/TENCENT keys, etc. That metadata mismatch is an inconsistency to be aware of.
Instruction Scope
SKILL.md contains detailed, narrowly-scoped runtime instructions: install via npm/clone, set provider API keys, run parsing/TTS/whisper scripts and Remotion render. The steps reference local files, external provider APIs (OpenAI/Azure/Alibaba/Tencent) and ffmpeg—these are expected for the stated task and do not appear to request unrelated system data.
Install Mechanism
The skill is instruction-only (no bundled install spec). It instructs users to install from npm or GitHub (common). Because there's no automatic installer included in the skill bundle, nothing is written to disk by the skill itself, lowering immediate risk. Still, installing the upstream npm package or running the repo's scripts will fetch and execute remote code — review upstream sources before installing.
Credentials
Requesting API keys for OpenAI, Azure, Alibaba, Tencent is proportionate to a multi-provider TTS/Whisper tool. The concern is the registry metadata omitted these required creds while the SKILL.md documents them; additionally, the skill will transmit script/audio to third-party TTS/Whisper endpoints, so secrets and content will leave the machine. Limit scope of keys (separate billing/key with quotas) and avoid sending sensitive text/audio.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and is user-invocable. Autonomous invocation disabled? (registry shows normal default). No evidence it needs elevated or permanent agent privileges.
What to consider before installing
This skill appears to do what it claims (convert scripts to multi-character videos using TTS, Whisper, Remotion), but there are a few things to check before installing:
- The SKILL.md expects provider API keys (OPENAI_API_KEY, AZURE_TTS_KEY, ALIYUN/TENCENT keys) though the registry metadata lists no required env vars — that's an inconsistency. Expect to provide secrets for external TTS/Whisper services.
- Using the skill will send your scripts/audio to third-party APIs (OpenAI, Azure, Alibaba, Tencent). Do not process sensitive or private content unless you accept that it will be transmitted.
- Because the skill is instruction-only, installing the upstream npm package or cloning the GitHub repo will fetch and run code. Inspect the GitHub repository and the npm package contents (scripts, shell helpers) for any unexpected network calls, telemetry, or shell execution before running.
- When you try it, use limited-scope API keys, billing limits, and rate limits; test in an isolated/dev environment; ensure ffmpeg and Remotion are from trusted package sources.
If you want a stronger assurance, provide the actual upstream repository package contents or a link to the exact npm release and I can review the code or point out risky files/commands to inspect.Like a lobster shell, security has layers — review code before you run it.
latestvk971w7sdpesjhda6ydrb3z09w182wmhg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.