← Back to Skills Marketplace
414
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install shellbot-creative
Description
Opinionated creative production system for image/video generation, image editing, motion scenes, voiceovers, music, and Remotion assembly. Combines Freepik,...
Usage Guidance
This skill appears coherent for orchestrating multi-provider creative workflows, but review these before installing or running: 1) Supply credentials only for providers you intend to use (FREEPIK_API_KEY is required for Freepik flows); understand that those keys will be sent to the provider APIs and may incur usage/billing. 2) Inspect scripts/install_skill.sh and package_skill.sh if you plan to run them — don't execute install scripts from unknown packages without reading them. 3) Review any truncated/omitted files for unexpected network endpoints or obfuscated code. 4) If you want to limit blast radius, create provider API keys with the narrowest scopes possible and run the skill in an isolated project folder. 5) If you need higher assurance, run a dry-run (the repo includes dry-run manifests) and review the generated shell plans before executing any network calls.
Capability Analysis
Type: OpenClaw Skill
Name: shellbot-creative
Version: 1.0.0
The skill contains a critical shell injection vulnerability in `scripts/run_full_dry_run.py`. User-provided input (the 'brief' argument) is unsafely embedded into a `curl` command string, which is then written to an executable shell script (`creative-output/dry-run-freepik-first/commands/run-freepik-first.sh`). This allows an attacker to inject arbitrary shell commands for remote code execution on the host system. While there is no clear evidence of intentional malicious behavior by the skill author, this severe vulnerability makes the skill highly risky.
Capability Assessment
Purpose & Capability
Name/description promise (multi-provider creative pipeline using Freepik, fal.ai, Nano Banana 2, and Remotion) matches the contents: orchestration scripts, Remotion React templates, and numerous curl/python commands targeting those providers. The declared primary credential (FREEPIK_API_KEY) and providerEnv references to FAL_KEY/INFERENCE_API_KEY are appropriate. Minor metadata inconsistency: registry 'Required env vars: none' conflicts with the skill's primaryEnv and the SKILL.md checks which expect FREEPIK_API_KEY (and optionally FAL_KEY / INFERENCE_API_KEY).
Instruction Scope
SKILL.md and scripts instruct running local Python scripts, creating project folders, using Remotion (node/npx), and calling provider APIs via curl/infsh. All referenced network endpoints are provider endpoints (api.freepik.com, queue.fal.run / api.fal.ai, infsh/inference.sh); instructions do not reference reading unrelated system files or exfiltrating files to unknown hosts. The runtime has permission to read/write local project files (assets, manifests) as expected.
Install Mechanism
No automated install spec in the registry (instruction-only), which minimizes automatic code fetching. The repo includes packaging/install helper scripts (scripts/install_skill.sh, package_skill.sh) — their contents were not fully inspected here; they are typical but should be reviewed before executing. Visible files do not download arbitrary archives from unknown hosts.
Credentials
Requested credentials are proportional to the multi-provider workflow: FREEPIK_API_KEY is the primary credential and FAL_KEY / INFERENCE_API_KEY are optional fallbacks. No unrelated secrets or broad system credentials are requested. Reminder: API keys will be transmitted to the provider endpoints invoked by the scripts (normal for this skill).
Persistence & Privilege
The skill is not always-enabled and uses default agent autonomy settings. It does not request elevated system privileges or indicate modification of other skills or global agent configuration. It writes artifacts into local project folders (assets/, scenes/, audio/, manifests/) which is consistent with its purpose.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install shellbot-creative - After installation, invoke the skill by name or use
/shellbot-creative - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: Freepik-first creative pipeline with Nano Banana 2/fal fallbacks, storyboard + routing + Remotion manifest scripts, packaging/install helpers, and production recipes.
Metadata
Frequently Asked Questions
What is shellbot-creative?
Opinionated creative production system for image/video generation, image editing, motion scenes, voiceovers, music, and Remotion assembly. Combines Freepik,... It is an AI Agent Skill for Claude Code / OpenClaw, with 414 downloads so far.
How do I install shellbot-creative?
Run "/install shellbot-creative" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is shellbot-creative free?
Yes, shellbot-creative is completely free (open-source). You can download, install and use it at no cost.
Which platforms does shellbot-creative support?
shellbot-creative is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created shellbot-creative?
It is built and maintained by cohnen (@cohnen); the current version is v1.0.0.
More Skills