ClawHub

Video Generator | 视频生成器

v1.0.42

Automated text-to-video pipeline with multi-provider TTS/ASR support - OpenAI, Azure, Aliyun, Tencent | 多厂商 TTS/ASR 支持的自动化文本转视频系统

0· 919·21 current·22 all-time
byJustin Liu@zhenstaff
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (text-to-video with multi-provider TTS/ASR) aligns with requested dependencies and env vars: OpenAI/Azure/Aliyun/Tencent keys, node/npm/ffmpeg are expected for TTS, Whisper, and Remotion-based rendering.
Instruction Scope
Runtime instructions direct the agent to clone a GitHub repo, install dependencies, and execute local scripts (e.g., ~/openclaw-video/generate-for-openclaw.sh or the openclaw-video-generator CLI). The instructions do not appear to request unrelated system secrets or global data exfiltration, but they do instruct executing arbitrary code from the project repository and the npm package, so you should inspect that code before running.
Install Mechanism
Installation is via a public npm package (openclaw-video-generator@1.6.2) and/or git clone from GitHub. These are standard distribution channels (moderate risk): npm packages and cloned repos can run arbitrary code during install or runtime, so verify package authenticity, the referenced commit, and source before installing globally.
Credentials
Requested environment variables are TTS/ASR provider credentials (OPENAI_API_KEY, AZURE_SPEECH_*, ALIYUN_*, TENCENT_*). These match the skill's multi-provider design and are proportionate to the functionality; no unrelated credentials or system tokens are requested.
Persistence & Privilege
Skill does not request always:true and does not declare system config paths, but the agent will be instructed to write/modify files under ~/openclaw-video/ and to run local scripts. This is expected for a tool that installs a project, but it means the package/repo will gain filesystem persistence in the user's home and execute with the user's privileges.
Assessment
This skill is coherent with its purpose, but before installing or running it: 1) Inspect the GitHub repo and the npm package (version 1.6.2, commit hash given) to ensure code matches expectations; 2) Prefer installing/testing inside a sandbox/container or non-production account; 3) Use minimal-scope API keys and monitor billing/usage for the provider you choose (consider creating a separate API key with limited quota); 4) Be aware the installation runs npm install and may create files in ~/openclaw-video/ and run scripts with your user privileges; 5) Verify ffmpeg, node, and other tools are from trusted sources; 6) If you don't want an agent to execute commands autonomously, avoid granting this skill automatic invocation or run it manually after review.

Like a lobster shell, security has layers — review code before you run it.

latestvk9707aks4rek5sv218pfhjmbex83pmb0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments