← Back to Skills Marketplace
322
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install product-demo-video
Description
Create product demo videos with voiceover, text overlays, and real browser interactions. Fully automated, zero cost. Uses Puppeteer (headless Chrome), edge-t...
Usage Guidance
This skill is coherent with its stated purpose, but take these precautions before running:
- Inspect and (if needed) edit SCENES in scripts/record-demo.mjs so they only point to public pages you control; do NOT point it to authenticated or private pages unless you understand the privacy risk (screenshots capture page content).
- Review any narration or scene id content before running; the script uses execSync with string commands (edge-tts, ffmpeg, ffprobe). Avoid untrusted text that could include shell metacharacters. Prefer running the script manually in a sandbox first.
- Be careful running scripts/install-deps.sh: it downloads an FFmpeg static build and copies binaries to /usr/local/bin (requires elevated privileges). Consider installing dependencies through your package manager or verifying the downloaded archive before copying.
- Expect edge-tts to contact Microsoft servers (network activity). If offline or privacy-sensitive, do not generate TTS there.
- Run the whole workflow in an isolated environment (VM/container) or non-production machine until you’re comfortable. If you plan to adapt the code, consider replacing execSync string commands with child_process spawn/execFile and validated argument lists to avoid shell injection.
If you want, I can point out the specific lines in record-demo.mjs that are highest risk and suggest safer code changes.
Capability Analysis
Type: OpenClaw Skill
Name: product-demo-video
Version: 1.0.0
The skill bundle contains a shell injection vulnerability in `scripts/record-demo.mjs` where narration text is passed to `execSync` with insufficient sanitization (only double quotes are escaped), allowing for subshell execution (e.g., via backticks or $()). Additionally, `scripts/install-deps.sh` downloads and installs a pre-compiled FFmpeg binary from an external site (johnvansickle.com), which is a high-risk supply chain practice. While these behaviors are functional for the stated purpose of video generation, they represent significant security flaws that could be exploited by a malicious prompt.
Capability Assessment
Purpose & Capability
Name, description, and included files (Puppeteer script, edge-tts usage, PIL overlay generation, FFmpeg commands) match the stated goal of creating product demo videos; no unrelated credentials, config paths, or services are requested.
Instruction Scope
SKILL.md and record-demo.mjs instruct the agent to visit arbitrary URLs and screenshot them, generate TTS via edge-tts (calls Microsoft servers), run FFmpeg/ffprobe, and create overlay images with a generated Python script. This stays within the stated purpose, but noteworthy runtime behaviors: the tool will capture screenshots of any provided URL (including authenticated/private pages if pointed there), and it invokes external network services (edge-tts). The code uses execSync with shell-interpolated strings (narration, filenames, ids) which can lead to command-injection risks if scene IDs or narration text are untrusted.
Install Mechanism
There is no platform-level install spec, but an included scripts/install-deps.sh downloads an FFmpeg static build from johnvansickle.com (a common FFmpeg static source) and copies binaries to /usr/local/bin. The script also uses apt/dnf package installs and pip installs. Downloading and extracting an archive and copying into /usr/local/bin is invasive and will require elevated privileges; the curl+tar approach is higher risk than using a package manager but the upstream source is known.
Credentials
The skill does not request environment variables or credentials, and the code does not read secret env vars. The only external services used are Microsoft TTS via edge-tts and standard utilities (ffmpeg, chromium).
Persistence & Privilege
always:false and no special agent permissions requested. The install script writes system-wide binaries (/usr/local/bin) and installs fonts/packages; running that script will require sudo/root on many systems. The skill does not attempt to modify other skills or agent configurations.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install product-demo-video - After installation, invoke the skill by name or use
/product-demo-video - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Automated demo video pipeline: Puppeteer + edge-tts + PIL + FFmpeg
Metadata
Frequently Asked Questions
What is Product Demo Video Creator?
Create product demo videos with voiceover, text overlays, and real browser interactions. Fully automated, zero cost. Uses Puppeteer (headless Chrome), edge-t... It is an AI Agent Skill for Claude Code / OpenClaw, with 322 downloads so far.
How do I install Product Demo Video Creator?
Run "/install product-demo-video" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Product Demo Video Creator free?
Yes, Product Demo Video Creator is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Product Demo Video Creator support?
Product Demo Video Creator is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Product Demo Video Creator?
It is built and maintained by xiazai77 (@xiazai77); the current version is v1.0.0.
More Skills