← Back to Skills Marketplace
Web2Labs Studio
by
Philipp Fanta
· GitHub ↗
· v1.0.1
447
Downloads
2
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install web2labs-studio
Description
Edit my recording, turn a long video into shorts, generate captions and thumbnails, estimate cost before processing. Upload local files or YouTube/Twitch URL...
Usage Guidance
This skill appears coherent for controlling the Web2Labs Studio service from your agent. Before installing: (1) Only provide WEB2LABS_API_KEY if you trust web2labs.com; the key will be stored in ~/.openclaw/openclaw.json (the code attempts chmod 600). (2) Be cautious when supplying webhook_url values — the skill will POST job results to whatever callback URL you provide (so do not point that at an untrusted endpoint if you want to keep outputs private). (3) yt-dlp will be executed for URL inputs; ensure you are comfortable with the skill running that binary and writing temporary files. (4) If you want strict budget control, configure WEB2LABS_SPEND_POLICY or the WEB2LABS_AUTO_SPEND_* env vars before use. Overall this skill is internally consistent with its stated purpose; if you need higher assurance, confirm the network domains contacted (baseUrl defaults to https://www.web2labs.com) and review the small set of included npm dependencies in package-lock.json.
Capability Analysis
Type: OpenClaw Skill
Name: web2labs-studio
Version: 1.0.1
The OpenClaw Studio skill is designed with strong security controls, explicitly addressing common attack vectors. It prevents credential leakage by stripping authentication headers for non-Web2Labs domains (`src/lib/api-client.mjs`), sanitizes remote filenames to prevent path traversal during downloads (`src/tools/download.mjs`), and uses `execFileAsync` for `yt-dlp` execution with carefully constructed arguments to mitigate shell injection risks (`src/lib/downloader.mjs`). API keys are stored locally with restricted permissions (`~/.openclaw/openclaw.json`, `chmod 600`). The `SKILL.md` instructions guide the AI agent in a safe and cost-aware manner, reinforcing guardrails against misuse. There is no evidence of intentional harmful behavior, obfuscation, or unauthorized data exfiltration.
Capability Assessment
Purpose & Capability
Name/description (cloud video editing: upload, render, thumbnails, cost estimates) match the implemented tools and network calls to web2labs.com. Declared primary credential (WEB2LABS_API_KEY), Node.js requirement, and permissions (network, filesystem) are appropriate for downloading URLs (yt-dlp), uploading files, polling results, and writing outputs/config. No unrelated credentials or unexpected binaries are requested.
Instruction Scope
SKILL.md and code instruct the agent to run yt-dlp for URL downloads, call Web2Labs APIs, optionally register webhooks, poll via WebSocket/HTTP, and write the API key into ~/.openclaw/openclaw.json. These are within the skill's stated purpose. Two notes: (1) the skill will send project.completed callbacks to any webhook_url the user supplies — that is expected functionality but could send user data to an attacker-controlled endpoint if the user configures one, (2) SKILL.md references additional env vars controlling spend policy (WEB2LABS_SPEND_POLICY and WEB2LABS_AUTO_SPEND_MAX_*) that are used for behavior but are not listed in the registry's required env list.
Install Mechanism
There is no external download/install step in the manifest (no remote URL or package install during agent install). The package includes Node.js source files and a package.json with standard npm dependencies (node-fetch, socket.io-client, form-data, zod, and an MCP SDK). This is a typical embedded skill server implementation and not a high-risk remote-install pattern. No extracted remote archives or shortener/personal-server download URLs were observed.
Credentials
The only declared primary credential is WEB2LABS_API_KEY which is proportional to the skill's function. The skill also documents optional env vars (WEB2LABS_SPEND_POLICY and multiple WEB2LABS_AUTO_SPEND_MAX_* caps) used to control spend behavior; these are reasonable but not listed under requires.env in the registry metadata. The code implements logic to avoid sending auth headers to non-Web2Labs domains (shouldAttachAuth) and stores the API key in the OpenClaw config with file-permissions hardening (chmod 600 attempt).
Persistence & Privilege
always:false (no forced inclusion). The skill writes its API key into ~/.openclaw/openclaw.json and sets its own entry enabled — this is standard onboarding behavior for many skills. It does modify the global OpenClaw config only to store its own credentials/enablement, which is expected for a user-approved API key storage but worth noting to users who prefer not to store credentials on disk.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install web2labs-studio - After installation, invoke the skill by name or use
/web2labs-studio - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
Release of the Web2Labs Studio Skill
Metadata
Frequently Asked Questions
What is Web2Labs Studio?
Edit my recording, turn a long video into shorts, generate captions and thumbnails, estimate cost before processing. Upload local files or YouTube/Twitch URL... It is an AI Agent Skill for Claude Code / OpenClaw, with 447 downloads so far.
How do I install Web2Labs Studio?
Run "/install web2labs-studio" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Web2Labs Studio free?
Yes, Web2Labs Studio is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Web2Labs Studio support?
Web2Labs Studio is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Web2Labs Studio?
It is built and maintained by Philipp Fanta (@vinlow); the current version is v1.0.1.
More Skills