drama generator
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The artifacts describe a coherent video-generation workflow, with expected but important user-reviewed steps for installing an external CLI, using cloud API keys, and sending script/audio data to providers.
Before installing, verify the npm/GitHub package source, consider using a pinned version or isolated environment, provide only dedicated provider API keys, and avoid processing confidential scripts unless you are comfortable with the selected provider's data handling and costs.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the external package can run code from npm/GitHub and change the local development environment.
The skill is instruction-only but tells users to install or clone an external package/source that is not included in the reviewed artifact set. This is aligned with the stated purpose, but users should treat it as a supply-chain decision.
npm install -g openclaw-drama-generator ... git clone https://github.com/ZhenRobotics/openclaw-drama-generator.git
Install only if you trust the npm/GitHub source; consider pinning a version and reviewing the package before running it.
The command may create output files, use local compute, and incur provider API usage.
The documented workflow runs a local CLI that processes files, generates media, and calls provider services. This is expected for the skill's purpose and appears user-directed.
drama-generator my-drama.txt --speed 1.1 --provider openai
Run it from a dedicated project directory and review command options before processing important or sensitive files.
Provider keys could incur charges or expose account access if mishandled.
The skill expects cloud provider credentials for TTS/Whisper services, while registry metadata declares no required credentials. The use is purpose-aligned, but the keys can authorize paid account activity.
export OPENAI_API_KEY="sk-..." ... export ALIYUN_ACCESS_KEY_SECRET="..." ... export TENCENT_SECRET_KEY="..."
Use least-privilege or dedicated API keys, monitor usage, avoid pasting keys into shared logs, and rotate keys if exposed.
Drama scripts, generated audio, or transcription inputs may be processed by third-party providers.
The workflow sends script/audio-related content to external speech and transcription providers. This is disclosed and necessary for the described functionality, but it is still a sensitive data flow.
OpenAI TTS ... Whisper API dialogue synchronization ... Multi-Provider Support - OpenAI, Azure, Alibaba Cloud, Tencent Cloud TTS
Do not use confidential scripts unless the chosen provider's privacy, retention, and compliance terms are acceptable.