Is benhuebner01/claw-video-generator safe?

https://github.com/openclaw/skills/tree/main/skills/benhuebner01/claw-video-generator

86
SAFE

The claw-video-generator skill is a well-structured Python API wrapper for the JSON2Video service that generates Pinterest-optimized vertical videos. No prompt injection, hidden payloads, canary file access, or malicious code patterns were detected; all monitored network activity during install matched expected git clone behavior, and the post-install openclaw-gateway connections are attributable to the Oathe monitoring infrastructure rather than skill artifacts. The primary risk is inherent to its design: user-supplied AI prompts, voice-over scripts, and media URLs are transmitted to the third-party api.json2video.com service, and the unpinned requests dependency and unguarded --config file path represent minor hygiene issues.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (7)

MEDIUM User prompt content and voice text transmitted to third-party API -15

Every ai_prompt string and voice text string from the user's config file is included in the POST body sent to https://api.json2video.com/v2/movies. Users must trust the JSON2Video service with this content. If the agent autonomously constructs prompts from user project data or private context, that content will leave the local environment.

LOW image.source and voice.source accept arbitrary URLs -10

The image and voice source fields in scene configs accept any HTTPS URL. A crafted config pointing source fields at internal hostnames or cloud metadata endpoints (e.g., 169.254.169.254) would cause the JSON2Video rendering backend to attempt those fetches, potentially confirming reachability of internal services through API error messages.

LOW No path restriction on --config file argument -8

The config_path argument is passed directly to open() without validation against an allowlist directory. An agent or user could supply a path to any readable JSON file on the filesystem, including files containing sensitive structured data that happens to parse as valid JSON.

LOW Unpinned external dependency (requests) -10

The script imports the 'requests' package without version pinning or hash verification. In a compromised or misconfigured Python environment, a malicious requests package could intercept API keys and payload content without any changes to skill files.

LOW Partial payload printed to stdout on every run -5

The script prints the first 500 characters of the JSON payload before submission. In environments where terminal output is logged or captured by the agent framework, API key usage patterns and prompt content could be persisted in logs.

INFO External third-party documentation URLs in SKILL.md -8

SKILL.md contains links to json2video.com, Microsoft Azure Speech documentation, and ElevenLabs voice library. These are static documentation references and not agent fetch targets. No risk of prompt injection through these URLs.

INFO Skill is oriented entirely toward affiliate marketing automation -2

All example configs, ADVANCED.md guidance, and SKILL.md descriptions are framed around Pinterest affiliate marketing (passive income, CTAs, 'link in bio'). This is a commercial use-case indicator, not a security risk, but users should be aware they are installing a tool optimized for marketing content generation.