Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description state the skill syncs from a cloud repository and SKILL.md points to a specific GitHub repo/path — the requested actions align with the stated purpose and there are no unrelated env vars or binaries.
Instruction Scope
Instructions are minimal and only direct the agent to obtain files from the listed GitHub repo and configure/test them. That matches purpose, but grants broad discretion (download, inspect, and potentially run external code). The SKILL.md does not include safe, constrained commands or explicit limits.
Install Mechanism
No install spec and no code files in the skill bundle (instruction-only). This is low-risk in itself, but the skill explicitly points to an external GitHub repository as the source of executable content — fetching/extracting that repo would introduce code from an external origin.
Credentials
The skill declares no required environment variables, credentials, or config paths. There is no apparent request for unrelated secrets or system access.
Persistence & Privilege
always is false, no special persistence or system-wide configuration is requested. The skill may be invoked autonomously (platform default) but that is normal and not by itself a red flag.
Assessment
This skill is essentially a pointer to an external GitHub repository and contains only a short checklist. Before installing or allowing it to run: 1) Verify the GitHub repo (owner, commit history, stars/forks, recent activity) and inspect the files under skills/video-creation-pro/ yourself; 2) Do not let the agent automatically execute scripts from that repo without manual review — downloaded code can run arbitrary actions; 3) Ensure no secrets (API keys, cloud credentials) are provided to the skill; 4) If you need to use it, prefer to clone the repo in a sandbox or review the exact install steps and required env vars first; 5) Ask the publisher for a homepage, release tags, or more detailed SKILL.md with concrete, constrained commands and justification for any environment access. Because the SKILL.md is vague, the main risk is whatever is present in the external repository — inspect that before proceeding.Like a lobster shell, security has layers — review code before you run it.
latestvk972bcv3xmvtbt2fn9e1zs993h823rw4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.