Description

Generate a complete Aura Creatine TikTok/Instagram video from a JSON script. Reads the script from Google Drive, generates A-roll (Kristina image-to-video vi...

README (SKILL.md)

Aura Video Generator

Name: Aura Video
Author: scotteverduim

Generate a complete Aura Creatine video from a single script ID.

Usage

bash {baseDir}/scripts/aura_video.sh week1_day1_vid1

Replace week1_day1_vid1 with any script ID from Google Drive/Aura Creatine/Content Pipeline/01_Scripts/.

How it works

Load JSON script from Google Drive (Content Pipeline/01_Scripts/\x3Cid>.json)
Generate each scene based on type field:
- a-roll → AIML image-to-video (Kristina base image + prompt)
- b-roll → Gemini Veo text-to-video (prompt only)
- animation → Gemini Veo text-to-video (prompt only, animation style)
Load voiceover MP3 from Google Drive (voiceovers/ folder)
Merge scenes with FFmpeg: concatenate clips, add voiceover, add captions
Upload final video to Google Drive (Content Pipeline/03_Final_Videos/)
Send video back to the chat

Script JSON format

{
  "meta": {
    "id": "week1_day1_vid1",
    "title": "Why Women Need Creatine More"
  },
  "assets": {
    "kristina_base_image": "Brand Kit/kristina_reference_primary.png",
    "voiceover_mp3": "voiceovers/Vid 1 Why Women Need Creatine More.mp3",
    "voiceover_text": "Did you know that women naturally have 70-80% lower creatine stores...",
    "on_screen_captions": ["Women have 70-80% less creatine", "Bridge the energy gap", "Start with 3-5g daily"]
  },
  "scenes": [
    { "scene": 1, "type": "a-roll", "prompt": "Kristina sits at kitchen table...", "caption": "Women have 70-80% less creatine", "duration_seconds": 8 },
    { "scene": 2, "type": "b-roll", "prompt": "Animated bar chart showing women vs men creatine levels...", "caption": "Bridge the energy gap", "duration_seconds": 8 },
    { "scene": 3, "type": "a-roll", "prompt": "Kristina focused, smiling, typing on laptop...", "caption": "Start with 3-5g daily", "duration_seconds": 8 }
  ]
}

Available scripts

All scripts are in Google Drive/Aura Creatine/Content Pipeline/01_Scripts/:

week1_day1_vid1 — Why Women Need Creatine More
week1_day2_vid1 — The Creatine Myth Debunked
week1_day3_vid1 — Creatine Against Brain Fog
week1_day4_vid1 — Sleep Almost An Hour Longer
week1_day5_vid1 — Creatine & Depression
week1_day6_vid1 — Constantly Feeling Rushed
week1_day7_vid1 — Better Memory

Notes

All videos are rendered in 9:16 (vertical) format for TikTok/Instagram Reels
A-roll scenes use the Kristina base image from Brand Kit/
Voiceover MP3s are pre-recorded and loaded from Google Drive (no ElevenLabs cost)
Final video is ~24 seconds (3 scenes × 8 seconds)
Output is uploaded to Content Pipeline/03_Final_Videos/ and sent to chat

Usage Guidance

This skill appears to implement the advertised video pipeline, but it has several red flags you should address before installing or running it: - Secrets & configs: The scripts expect AIML/GEMINI API keys (declared in SKILL.md) but also source $HOME/.openclaw/.env and look for TELEGRAM_BOT_TOKEN / TELEGRAM_CHAT_ID and a rclone Google Drive config ($HOME/.gdrive-rclone.ini). Make sure you understand where those files/keys would come from and do not place high-privilege credentials there unless you trust the code. - Hidden dependencies & paths: The bash scripts call ffmpeg at a hardcoded Homebrew path and a Python binary inside another skill's venv ($HOME/.openclaw-workspace/skills/auraveo). Confirm those helper scripts and the venv are present and trusted; otherwise the skill may run arbitrary code outside its own directory. - Missing declarations: The registry metadata did not list the environment variables, binaries, or config paths the scripts actually need. Treat that as a sign to audit the full repository and any external helper scripts before use. - Run in isolation: If you want to test, run the pipeline in an isolated environment (dedicated VM or container) with minimal credentials and monitored network access. Verify the auraveo helper scripts and render helpers are exactly what you expect (or modify aura_video.sh to point to known-trusted paths). - If you need to proceed: add explicit, minimal API keys in an isolated credential store, ensure rclone config only has the necessary Drive access, and inspect/replace any hardcoded absolute paths to point to vetted binaries inside the skill folder. If you want, I can list the exact lines/locations in the scripts that reference the undeclared files and creds, or help craft a safer wrapper that limits which external commands/paths are used.

Capability Analysis

Type: OpenClaw Skill Name: aura-video Version: 1.0.0 The skill bundle implements a video production pipeline that is highly vulnerable to shell injection. Specifically, scripts/aura_video.sh and scripts/aroll_watcher.sh parse JSON data from Google Drive and rclone output using 'python3 -c' and then pass these unsanitized strings directly into shell commands and subshells. While the behavior appears aligned with the stated goal of automating 'Aura Creatine' content, the lack of input validation and the direct reading of sensitive environment files ($HOME/.openclaw/.env) to extract API keys represent significant security flaws rather than intentional malice.

Capability Assessment

⚠ Purpose & Capability

Name/description claim: generate videos from a Google Drive JSON script using AIML, Gemini, and Remotion — which matches the included code. However the registry metadata claimed no required env or binaries but the SKILL.md and scripts clearly expect API keys (AIML/GEMINI), rclone config for Google Drive, a specific ffmpeg binary, and Python scripts/venv from another skill (auraveo). These external/local paths and tools are not declared in the registry metadata, which is inconsistent and disproportionate.

⚠ Instruction Scope

Runtime scripts do more than the SKILL.md prose implies: they source $HOME/.openclaw/.env, read AIML_API_KEY and optional Telegram tokens, use rclone to copy files to/from Google Drive, call Python scripts living under $HOME/.openclaw-workspace/skills/auraveo, and call a render helper in $HOME/aura-remotion. They also optionally POST to Telegram. The instructions therefore access local dotfiles, state/log files, and external network endpoints beyond those explicitly documented; that scope creep is not declared in the registry metadata.

ℹ Install Mechanism

There is no install spec (instruction-only), which lowers supply-chain risk, but the bundle includes node project files (package.json, package-lock) and shell scripts that expect Remotion, Node/React, ffmpeg, rclone, and a Python venv to be present. Because no install steps are provided, an operator may inadvertently run scripts on a system that doesn't meet these hidden prerequisites or runs untrusted code from referenced paths.

⚠ Credentials

SKILL.md metadata lists GEMINI_API_KEY and AIML_API_KEY, which are reasonable for text/video-generation. However the scripts also read other secrets/config that were not declared: they source $HOME/.openclaw/.env (grep for AIML_API_KEY), look for TELEGRAM_BOT_TOKEN / TELEGRAM_CHAT_ID for notifications, and require an rclone Google Drive config at $HOME/.gdrive-rclone.ini. Those additional credentials and config accesses are not declared in the registry metadata, making the requested environment access broader than communicated.

⚠ Persistence & Privilege

always:false (good). But the included watcher writes state and log files to the user's home ($HOME/.aroll_watcher_state, $HOME/.aroll_watcher.log) and is intended to run from cron. More importantly, the main script executes Python helper scripts from another skill's venv ($HOME/.openclaw-workspace/skills/auraveo/venv) and calls other local helper scripts (e.g., render_animation.sh) using hardcoded absolute paths. That coupling means this skill can execute code outside its own directory, which elevates the impact if those external scripts are untrusted or malicious.

Version History

v1.0.0

- Initial release of aura-video: generate complete 9:16 TikTok/Instagram videos from a single JSON script. - Loads script and media assets from Google Drive, generates scenes with AIML and Gemini Veo, merges with Remotion and FFmpeg. - Supports A-roll (image-to-video), B-roll (text-to-video), animation scenes, voiceover MP3, and captions. - Final video (~24 sec, 3 scenes) is uploaded to Google Drive and sent back to chat.

Metadata

Slug aura-video

Version 1.0.0

License —

All-time Installs 1

Active Installs 1

Total Versions 1

Frequently Asked Questions

What is Aura Video?

Generate a complete Aura Creatine TikTok/Instagram video from a JSON script. Reads the script from Google Drive, generates A-roll (Kristina image-to-video vi... It is an AI Agent Skill for Claude Code / OpenClaw, with 364 downloads so far.

How do I install Aura Video?

Run "/install aura-video" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Aura Video free?

Yes, Aura Video is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Aura Video support?

Aura Video is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Aura Video?

It is built and maintained by ScottEverduim (@scotteverduim); the current version is v1.0.0.

More Skills

Aura Video