← Back to Skills Marketplace
546
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install vibeclip
Description
Automation skill for VibeClip - AI Music Video Gen.
Usage Guidance
This skill appears to do what it claims (generate short music videos using a local Ollama model + FFmpeg). Before installing or running it: 1) Ensure you have node, Ollama, and FFmpeg installed and trust the local Ollama models you pull. 2) Run 'npm install' in the skill directory so dependencies are installed (SKILL.md doesn't list this step). 3) If you deploy to a VPS, protect the service (authentication, HTTPS, firewall, rate limits) because the app accepts unauthenticated uploads and serves outputs publicly. 4) The SKILL.md mentions payments/ETH but there is no payment code — treat that as marketing only. 5) Consider disk-quota and cleanup policies (uploads/ and outputs/ are written to disk). If you need the skill to handle sensitive inputs or be internet-facing, add access controls and monitoring first.
Capability Analysis
Type: OpenClaw Skill
Name: vibeclip
Version: 1.2.0
The skill is classified as suspicious due to a prompt injection vulnerability against the local Ollama LLM in `index.js`. The user-provided `prompt` is directly interpolated into the `ollama.chat` message, allowing an attacker to manipulate the LLM's output and potentially generate unintended or harmful content. While the use of `child_process.spawn` for FFmpeg is implemented securely with an array of arguments, mitigating direct shell injection, the LLM prompt injection represents a significant vulnerability in the AI interaction, even if it does not directly lead to host compromise or data exfiltration.
Capability Assessment
Purpose & Capability
Name/description, SKILL.md, and index.js are coherent: the app uses Ollama to generate scene descriptions and FFmpeg to render a photo+audio video, and the package.json dependencies (express, multer, ollama, uuid) match that purpose. Minor inconsistency: SKILL.md advertises 'Revenue SaaS / ETH payments' but the code has no payment logic; SKILL.md also mentions VPS deploy/readiness but does not include explicit npm-install instructions (package.json exists).
Instruction Scope
SKILL.md instructs pulling Ollama models and running the Node app; the runtime index.js only reads uploaded audio/photo + prompt, calls local Ollama, and spawns ffmpeg to produce an MP4. There is no hidden file reading, credential access, or external endpoints in the code. Operational/security note: the app accepts unauthenticated uploads, writes files to uploads/ and outputs/, and serves outputs publicly (no auth, no rate limiting) — this increases exposure (abuse, storage bloat, hosting malicious files) but is consistent with a simple prototype.
Install Mechanism
No packaged install spec was present in the registry metadata, but SKILL.md includes a metadata.install entry that runs 'ollama pull' to download models — that is a reasonable source (ollama) rather than a personal server. The package.json / package-lock indicate normal npm dependencies; however SKILL.md does not explicitly instruct 'npm install' which is a minor operational mismatch. No high-risk arbitrary downloads or URL shorteners detected.
Credentials
The skill requests no environment variables or credentials and the code does not attempt to read secrets or external config. Using local Ollama and FFmpeg requires those binaries to be available but no sensitive access is requested.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide configs, and runs as a standalone web app on port 3000. Note: exposing a web server on 0.0.0.0 is expected for this app but has normal hosting risks (publicly accessible uploads/outputs).
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install vibeclip - After installation, invoke the skill by name or use
/vibeclip - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.2.0
v1.2: Paywall stub ETH_ADDR env (0x362A...). Auto wallet!
v1.1.0
v1.1: ETH paywall stub added (wallet 0xfb8f...05c7, 0.001 ETH/clip). Revenue ready! Test manual pay → gen.
v1.0.0
Live proto: Ollama/FFmpeg music2video. Local/offline, revenue SaaS ready (ETH credits). clawhub.com/vibeclip
Metadata
Frequently Asked Questions
What is Video App?
Automation skill for VibeClip - AI Music Video Gen. It is an AI Agent Skill for Claude Code / OpenClaw, with 546 downloads so far.
How do I install Video App?
Run "/install vibeclip" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Video App free?
Yes, Video App is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Video App support?
Video App is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Video App?
It is built and maintained by Goroni (@gblockchainnetwork); the current version is v1.2.0.
More Skills