Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Explainer
v0.1.0Create explainer videos with narration and AI-generated visuals. Triggers on: "解说视频", "explainer video", "explain this as a video", "tutorial video", "introd...
⭐ 0· 169·0 current·0 all-time
by@0xfango
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to create explainer videos and requires a LISTENHUB_API_KEY, which is coherent for a hosted video-generation service. However, the SKILL.md references endpoints at api.marswave.ai and a UI URL at listenhub.ai — the mismatch of domains is unexplained and should be clarified by the author.
Instruction Scope
Instructions will write a config file ('.listenhub/explainer/config.json' or $HOME alternative) and perform network calls using curl and jq (polling loop). The skill's declared requirements list no required binaries, yet the runtime explicitly requires curl and jq. It also mandates reading shared/*.md resources (not included here) and persisting defaultSpeakers after generation. These steps are within the skill's goal but the missing declared binaries and file-write behaviors are inconsistencies to verify.
Install Mechanism
No install spec or code files are included — the skill is instruction-only and does not download or install external packages, which reduces installation risk.
Credentials
Only one environment variable is required (LISTENHUB_API_KEY), which is appropriate for a remote API. The SKILL.md shows that API key will be sent as a Bearer token to the service. Confirm the API key's scope/permissions before use.
Persistence & Privilege
The skill writes/reads a local config under .listenhub/explainer and persists defaultSpeakers after generation. It does not request always:true or global privileges. Writing a config file is expected but you should confirm the exact location (current directory vs $HOME) and contents that will be stored.
What to consider before installing
This skill is mostly coherent with its purpose but has a few things to check before you install or provide your API key:
- Domain mismatch: SKILL.md uses api.marswave.ai while product links reference listenhub.ai — ask the author which domain is the real API and why both appear.
- Required binaries: the runtime polling uses curl and jq, but the skill metadata lists no required binaries. Ensure your environment has curl and jq available, or request the skill author to declare them.
- Config file behavior: the skill will create and write .listenhub/explainer/config.json (current directory by default, with a comment about $HOME). Confirm where config is stored and what secrets (if any) are written to it.
- API key scope: provide a least-privilege LISTENHUB_API_KEY (create a limited key if possible) and verify what actions that key permits on the service.
- Background polling: the skill runs a background polling loop (curl + jq) and may poll the API for several minutes — be comfortable with the network activity and endpoints used.
If you need to proceed, ask the author to clarify the API domain, explicitly declare required binaries (curl, jq), and show the exact HTTP endpoints and request shapes the skill will call so you can confirm there are no unexpected endpoints or data exfiltration paths.Like a lobster shell, security has layers — review code before you run it.
latestvk97fmcwsmdwcpcyrawdzt9djmx82w2pt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvLISTENHUB_API_KEY
Primary envLISTENHUB_API_KEY