WAIT — Mixed signals — read the receipts

• Last commit 3d ago
• 8 active contributors
• GPL-3.0 licensed
• CI configured
• ⚠ Concentrated ownership — top contributor handles 51% of recent commits
• ⚠ GPL-3.0 is copyleft — check downstream compatibility
• ⚠ No test directory detected
• ⚠ Scorecard: default branch unprotected (0/10)

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests + OpenSSF Scorecard}

RedditVideoMakerBot automates the creation of TikTok/YouTube-style videos from Reddit posts by scraping Reddit content via PRAW, generating synthetic speech (gTTS, pyttsx3, ElevenLabs), fetching background videos, and composing them into a final MP4 using MoviePy—all without manual editing, producing publication-ready videos in one command. Monolithic single-entry-point structure: GUI.py exposes a Flask web interface (GUI/ folder contains HTML/CSS/voice samples), main.py is the CLI entry point, and core logic likely spreads across unnamed modules in the root. Modular voice support (GUI/voices/ with 40+ .mp3 samples for ElevenLabs integration).

Content creators and automation enthusiasts who want to mass-produce short-form videos from Reddit threads for TikTok, YouTube Shorts, and Instagram Reels without learning video editing software. Also appeals to Python developers exploring automation and API integration patterns.

Actively maintained with 123K lines of Python code and organized GitHub workflows (linting, CodeQL, fmt checks via .github/workflows/). However, it explicitly marks itself 'EXPERIMENTAL' in the README and disclaims that uploads are manual-only to avoid platform guideline violations. CI/CD is in place but the project remains in active development rather than stable release.

Heavy dependency on external services: PRAW (Reddit API), Playwright (browser automation), MoviePy (video composition), ElevenLabs API, AWS (boto3), and multiple TTS engines. No visible test suite in the file list. Single-maintainer appearance (Lewis Menelaws as primary creator). Breaking changes possible as transformers (4.52.4) and torch (2.7.0) are cutting-edge versions with rapid iteration.

Stale detection and dependabot automation suggest ongoing maintenance. CI workflows (codeql-analysis.yml, fmt.yml, lint.yml) enforce code quality. README shows recent documentation polish (CONTRIBUTING.md, CODE_OF_CONDUCT.md present). No explicit recent commit data visible, but active dependabot suggests weekly dependency bumps.

git clone https://github.com/elebumm/RedditVideoMakerBot.git
cd RedditVideoMakerBot
python3 -m venv ./venv
source ./venv/bin/activate  # or .\venv\Scripts\activate on Windows
pip install -r requirements.txt
python -m playwright install
python -m playwright install-deps
python main.py

Daily commands:

# CLI entry point:
python main.py

# Web GUI:
python GUI.py

Both prompts for Reddit API credentials (config.toml) on first run. See config.toml after first execution to reconfigure.

• main.py: Primary CLI entry point—initializes Reddit scraping, config loading, and orchestrates the full video generation pipeline
• GUI.py: Flask web interface—exposes browser-based configuration UI and serves HTML/CSS from GUI/ folder
• GUI/index.html: Main web UI layout—user-facing form for configuring Reddit post selection, voice, background, and video output
• .github/workflows/lint.yml: Enforces code quality via pylint (see .pylintrc)—runs on every PR to catch regressions
• requirements.txt: Complete dependency manifest—includes PRAW, MoviePy, Playwright, ElevenLabs, spaCy/transformers, and Flask
• Dockerfile: Container definition for reproducible deployment—enables single-command execution in isolated environments
• GUI/voices/: Voice sample library (40+ .mp3 files)—pre-cached TTS examples for ElevenLabs voice selection UI

Adding new TTS voices: Add .mp3 files to GUI/voices/ and update voice selection logic. Changing video composition: Modify MoviePy calls (likely in unnamed core modules—search for moviepy imports). Reddit content filtering: PRAW integration points in main logic—look for praw.Reddit() initialization. UI changes: Edit GUI/*.html files and Flask routes in GUI.py. Video background sources: yt-dlp (2025.10.22) handles video downloads—check how backgrounds are fetched and cached.

Reddit API credentials required: main.py will interactively prompt for PRAW client ID/secret/user-agent on first run and store in config.toml—no programmatic bypass. Playwright headless browser overhead: playwright install and install-deps must complete fully or video scraping fails silently. MoviePy + ffmpeg coupling: MoviePy wraps ffmpeg (not in requirements—must be system-installed independently; ffmpeg-python 0.2.0 is just a Python wrapper). ElevenLabs API key: elevenlabs library requires external API key if chosen as TTS backend—no fallback docs visible. Torch/transformers cold-start: First NLP text processing will download large models (~2GB+) on-demand; no caching docs provided. Python 3.10 hard requirement: .python-version file locks version—3.9 or 3.11+ may cause import/syntax errors.

• Reddit API (PRAW) OAuth 2.0 — This bot authenticates to Reddit via script-type OAuth app credentials; understanding PRAW's scope/permission model is essential for debugging content access failures and rate limits
• Playwright browser automation — Required to fetch dynamic background content (playwright 1.49.1 in deps); non-obvious that video backgrounds may come from JavaScript-rendered pages, not static HTML
• [Text-to-Speech (TTS) pipeline](https://gtts.readthedocs.io/ and https://elevenlabs.io/docs) — Bot supports 3 TTS engines (gTTS, pyttsx3, ElevenLabs) with fallback logic; understanding when each is used (cost, latency, voice quality) is crucial for production output
• MoviePy composition & ffmpeg rendering — Core video assembly happens via MoviePy 2.2.1 wrapping ffmpeg; failures here are opaque without understanding video codec/bitrate constraints and ffmpeg CLI
• Transformer-based NLP (spaCy + Hugging Face) — Bot uses transformers 4.52.4 + torch 2.7.0 for advanced text filtering/summarization; cold-start model downloads and GPU/CPU selection are non-obvious gotchas
• TOML configuration files — Credentials and settings persist in config.toml after first run; understanding toml 0.10.2 + tomlkit 0.13.2 interaction is needed for safe config reloads and migrations
• Video composition & aspect ratio scaling — Reddit posts, background videos, and TTS audio must be composited with correct timing and resolution; MoviePy handles this but mismatches cause silent render failures

• allenai/allennlp — NLP pipeline alternative to spaCy+transformers used here; overlaps on text understanding for Reddit post filtering
• openai/whisper — Audio transcription model; complement to gTTS/ElevenLabs if reverse-engineering video narration becomes a use case
• yt-dlp/yt-dlp — Background video source tool already in requirements.txt (2025.10.22); core dependency for fetching YouTube/TikTok-style background clips
• praw-dev/praw — Official Reddit API wrapper (7.8.1 in requirements)—the foundation for all Reddit content scraping in this bot
• Zulko/moviepy — Core video composition library (2.2.1 in requirements)—handles all video assembly, rendering, and MP4 export

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add integration tests for TTS providers (GTTS, pyttsx3, elevenlabs, boto3)

The repo supports 4+ TTS backends (GTTS, pyttsx3, ElevenLabs, AWS Polly via boto3) but there's no visible test suite validating each provider works correctly. With multiple TTS engines in TTS/GTTS.py and dependencies like elevenlabs==1.57.0, integration tests would catch breaking changes when TTS APIs update and help new contributors verify their environment setup works.

• [ ] Create tests/test_tts_providers.py with mock TTS calls for each backend
• [ ] Add pytest fixtures in tests/conftest.py for TTS configuration
• [ ] Create GitHub Actions workflow .github/workflows/test-tts.yml to run tests on PR
• [ ] Test specific scenarios: audio generation success, fallback between providers, handling API errors

Add unit tests for video composition logic in moviepy pipeline

The repo uses moviepy==2.2.1 for video generation but there's no visible test coverage for the core video composition logic (background overlays, subtitle timing, audio syncing). This is the most critical path - broken video generation means broken core product. Tests would help contributors safely refactor the video pipeline.

• [ ] Identify the main video composition file (likely in root or a video/ directory based on structure)
• [ ] Create tests/test_video_composition.py with test cases for: adding backgrounds (GUI/backgrounds.html usage), subtitle placement, audio synchronization
• [ ] Add GitHub Actions workflow .github/workflows/test-video.yml that mocks ffmpeg calls
• [ ] Include tests for edge cases: very long transcripts, missing audio files, unsupported resolutions

Add validation tests for Reddit API integration (praw) with mocked responses

The repo uses praw==7.8.1 to fetch Reddit posts but there's no visible test suite for the Reddit API integration layer. This is a common failure point - Reddit API changes, rate limits, or authentication issues directly break the core feature. Mocked tests would let contributors catch regressions when updating praw or refactoring post fetching logic.

• [ ] Create tests/test_reddit_integration.py with pytest-vcr or responses library for mocking praw calls
• [ ] Test scenarios: successful post fetch, empty subreddit, authentication failure, rate limiting, post with special characters handled by clean-text==0.6.0
• [ ] Add GitHub Actions workflow .github/workflows/test-reddit.yml
• [ ] Include tests for the translators==5.9.9 integration when fetching non-English posts

• Add unit tests for PRAW integration in main.py—current codebase shows no test suite (no tests/ folder) yet has 123K LOC with complex Reddit scraping logic; start with mock tests for Reddit post filtering
• Document ElevenLabs API key setup in README—elevenlabs is in requirements.txt but README only mentions PRAW API setup; add step-by-step guide in CONTRIBUTING.md for users choosing ElevenLabs as TTS backend
• Create GUI error logging UI—GUI.py uses Flask but no visible error-feedback mechanism in GUI/*.html; add toast/modal alerts when video composition fails (MoviePy crashes, background download timeouts, etc.)

• High · Outdated and Vulnerable Dependencies — requirements.txt. Multiple dependencies have known security vulnerabilities or are significantly outdated. Notable issues: pytorch 2.7.0, transformers 4.52.4, and flask 3.1.1 may have unpatched vulnerabilities. The ffmpeg-python 0.2.0 is particularly old (last updated 2018) and may have critical security issues. Fix: Conduct a comprehensive dependency audit using tools like Safety or Snyk. Update all dependencies to their latest stable versions. Pin specific versions and regularly scan for vulnerabilities in CI/CD pipeline.
• High · Missing Input Validation on Web Interface — GUI.py, GUI/ (Flask templates). Flask application (GUI.py) likely handles user inputs for Reddit post content and TTS parameters without apparent input sanitization. Combined with external API calls (Reddit via PRAW, TTS services), this could enable command injection or prompt injection attacks. Fix: Implement strict input validation on all user-provided data. Use Flask's built-in security utilities. Sanitize inputs before passing to external APIs or system commands. Implement rate limiting and CSRF protection.
• High · Arbitrary Command Execution Risk in FFmpeg Integration — TTS/engine_wrapper.py and video processing modules. ffmpeg-python is used for video processing. If user inputs (video filenames, parameters) are not properly escaped, this could lead to command injection attacks when ffmpeg commands are executed. Fix: Use parameterized/array-based command execution instead of shell=True. Validate and sanitize all file paths and parameters passed to FFmpeg. Use subprocess with proper argument escaping.
• High · Exposed API Credentials and Secrets Management — TTS/aws_polly.py, TTS/elevenlabs.py, TTS/openai_tts.py, and main.py configuration. The codebase uses multiple external APIs (AWS Polly, ElevenLabs, OpenAI TTS, PRAW Reddit API) requiring credentials. No evidence of secure credential management (no .env.example, no secret handling pattern visible). Credentials likely hardcoded or stored insecurely. Fix: Implement environment variable-based credential management. Use Python-dotenv or similar. Never commit credentials. Create .env.example template. Use AWS IAM roles in Docker. Rotate credentials regularly. Consider using a secrets management service.
• High · Unsafe Deserialization and TOML Processing — Configuration loading (likely main.py), toml and tomlkit usage. The codebase uses toml and tomlkit libraries to parse configuration files. If configuration files are user-controlled or come from untrusted sources, TOML injection attacks are possible. Additionally, pickle-like deserialization patterns could exist in data processing. Fix: Only load configuration from trusted sources. Validate TOML schema. Avoid deserializing untrusted data. Use strict TOML parsers with schema validation.
• Medium · No Security Headers or HTTPS Configuration — GUI.py (Flask application). Flask web application (GUI) likely missing security headers (CSP, X-Frame-Options, X-Content-Type-Options, etc.). No evidence of HTTPS enforcement or secure cookie configuration. Fix: Implement security headers using Flask-Talisman or middleware. Force HTTPS in production. Set secure cookie flags (Secure, HttpOnly, SameSite). Implement Content Security Policy.
• Medium · Insufficient Error Handling and Information Disclosure — GUI.py (Flask application initialization). Flask debug mode might be enabled in production. Stack traces and system information could be leaked to users, aiding attackers in reconnaissance. Fix: Disable Flask debug mode in production. Implement custom error handlers to avoid exposing sensitive information. Log errors securely server-side without exposing details to clients.
• Medium · Docker Image Security Issues — Dockerfile. Dockerfile uses python:3.10.14-slim as base (outdated, released 2024). Uses apt without pinning versions. No non-root user created. No health checks or security scanning configured. Fix: Use latest Python slim image or pin a more recent version. Pin apt package versions. Create non-root user for application execution. Add HEALTHCHECK instruction. Implement multi-

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/elebumm/RedditVideoMakerBot shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live elebumm/RedditVideoMakerBot repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/elebumm/RedditVideoMakerBot.

What it runs against: a local clone of elebumm/RedditVideoMakerBot — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in elebumm/RedditVideoMakerBot | Confirms the artifact applies here, not a fork | | 2 | License is still GPL-3.0 | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | Last commit ≤ 33 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of elebumm/RedditVideoMakerBot. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/elebumm/RedditVideoMakerBot.git
#   cd RedditVideoMakerBot
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of elebumm/RedditVideoMakerBot and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "elebumm/RedditVideoMakerBot(\\.git)?\\b" \\
  && ok "origin remote is elebumm/RedditVideoMakerBot" \\
  || miss "origin remote is not elebumm/RedditVideoMakerBot (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(GPL-3\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"GPL-3\\.0\"" package.json 2>/dev/null) \\
  && ok "license is GPL-3.0" \\
  || miss "license drift — was GPL-3.0 at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 33 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~3d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/elebumm/RedditVideoMakerBot"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.