← Back to Skills Marketplace
Video Producer
by
a1024708231
· GitHub ↗
· v2.2.1
· MIT-0
1055
Downloads
1
Stars
3
Active Installs
1
Versions
Install in OpenClaw
/install video-producer
Description
短视频一键生成技能 v2.2。调用video-director进行画面规划,然后生成AI素材、TTS配音、视频渲染,输出完整MP4。
Usage Guidance
Do not run this skill as-is on a sensitive system. Specific concerns: (1) The code contains hard-coded API keys — treat them as leaked secrets; if you or others have used those keys, rotate them immediately. (2) The skill's metadata does not declare the API keys and helper scripts it actually uses (MINIMAX_API_KEY, MINIMAX_IMAGE_API_KEY and external video-director / minimax-tts scripts). Ask the author to remove hard-coded credentials and declare required env vars and dependencies. (3) The scripts invoke external node/python helpers with execSync and build shell commands from user text — this can allow shell injection if inputs are not sanitized. Avoid passing untrusted text; prefer child_process.spawn with explicit args or a sanitized interface. (4) The skill requires or executes sibling scripts (../../video-director, ../../minimax-tts-cn) — verify those scripts' source before allowing execution because they run with the same agent privileges. (5) produce_fix.js can rewrite produce.js — treat self-modifying behavior cautiously and review its use-case. Recommended actions before installing: run in an isolated sandbox, audit and remove hard-coded keys, require explicit env vars in metadata, review all external endpoints (api.minimaxi.com and any video-director/tts code), and test with non-sensitive sample data. If you cannot verify the external helper scripts and keys, mark the skill untrusted.
Capability Analysis
Type: OpenClaw Skill
Name: video-producer
Version: 2.2.1
The skill bundle contains multiple hardcoded API keys for the MiniMax service within `scripts/produce.js` and `scripts/image_gen.js`, which is a major security risk regarding credential exposure. Additionally, `scripts/produce.js` utilizes `execSync` to execute shell commands (ffmpeg, remotion, and python) by concatenating strings with potentially untrusted input, creating a high risk for shell injection. While these are critical vulnerabilities, the code logic remains consistent with the stated purpose of video production, and no clear evidence of intentional data exfiltration or malicious backdoors was found.
Capability Assessment
Purpose & Capability
The name/description (video generation using a video-director helper, AI images, TTS, Remotion render) matches the included scripts: produce.js, image_gen.js, and test output. However the implementation expects external helper scripts (../../video-director/scripts/plan.js and ../../minimax-tts-cn/scripts/tts.py) and uses external image/tts APIs — these dependencies are not declared in the registry metadata or SKILL.md metadata (no required env vars or config paths listed). That mismatch (undeclared but required helpers/keys) is unexpected.
Instruction Scope
The SKILL.md describes calling video-director and producing assets, which is consistent, but the runtime scripts do more: they call external processes (node and python) via execSync, write files outside the skill folder in multiple locations, and may require the presence of sibling skill code. The instructions do not document the hard-coded API keys, the expected external script locations, nor the fact that the agent will execute other scripts. The generateTTS command construction uses shell invocation with only double-quote escaping, exposing a potential shell-injection risk if input is not strictly sanitized.
Install Mechanism
There is no install spec (instruction-only), so nothing is automatically downloaded. However there are shipped JS scripts that will be executed. That reduces installation risk, but running these scripts still executes network requests and subprocesses. No external archive downloads were observed in the provided files.
Credentials
The skill metadata declares no required env vars or primary credential, but the code reads and falls back to API keys (process.env.MINIMAX_API_KEY, process.env.MINIMAX_IMAGE_API_KEY) and contains default hard-coded API key strings embedded in the source. Hard-coded keys in code are a sensitive mismatch with the declared 'none' credential fields. The scripts also expect local sibling projects (video-director, minimax-tts) which increases the attack surface and privileges needed at runtime.
Persistence & Privilege
The skill is not always-enabled (always: false) so it won't be force-included. It does, however, execute subprocesses (execSync), require/require() other scripts by path, and includes a helper (produce_fix.js) that modifies produce.js on disk (self-modifying code). Those behaviors are not necessarily malicious but increase risk and mean the skill will perform file writes and arbitrary code execution when run.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install video-producer - After installation, invoke the skill by name or use
/video-producer - Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.2.1
修复视频发送无法正确加载本地文件的问题;修复场景切换时长计算错误;修复素材引用变量名错误;添加自定义结尾支持
Metadata
Frequently Asked Questions
What is Video Producer?
短视频一键生成技能 v2.2。调用video-director进行画面规划,然后生成AI素材、TTS配音、视频渲染,输出完整MP4。 It is an AI Agent Skill for Claude Code / OpenClaw, with 1055 downloads so far.
How do I install Video Producer?
Run "/install video-producer" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Video Producer free?
Yes, Video Producer is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Video Producer support?
Video Producer is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Video Producer?
It is built and maintained by a1024708231 (@a1024708231); the current version is v2.2.1.
More Skills