ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

keevx-image-to-video

v1.0.0

Convert images to videos using Keevx API with support for multiple models, resolutions up to 4K, audio generation, and batch processing.

9· 144·0 current·0 all-time
by@baidu-xiling
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes an image-to-video converter using the Keevx API and the name/description align with that purpose. However, the runtime instructions require an external API key (KEEVX_API_KEY) and specific API endpoints, while the registry metadata lists no required environment variables or primary credential — an inconsistency between claimed requirements and declared metadata.
Instruction Scope
The instructions are narrowly scoped to uploading images, creating/querying image-to-video tasks, and optionally using callback URLs. They do not instruct reading unrelated system files or additional environment variables. Handling of local files (upload then use returned URL) and use of a callback URL are expected for async processing, but the callback mechanism could be abused if set to an attacker-controlled endpoint.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so nothing is written to disk or automatically installed. That reduces installer-related risk.
!
Credentials
The SKILL.md clearly requires a single API credential (KEEVX_API_KEY) to call the Keevx API, which is proportionate to the described functionality. However, the registry metadata does not declare any required env vars or a primary credential — this mismatch is concerning because it hides the need to provide a secret. The skill otherwise does not request additional unrelated credentials.
Persistence & Privilege
The skill is not always-enabled and does not request special agent-wide configuration or persistent system privileges. Autonomous invocation is allowed (platform default) and is not by itself a problem here.
What to consider before installing
Before installing, note that the skill's documentation requires you to provide KEEVX_API_KEY even though the registry metadata omits it — that's an incoherence you should address. Confirm the skill's source and homepage (keevx.com and docs.keevx.com are referenced in the SKILL.md) and verify the domain and API documentation yourself. Only provide an API key with minimal privileges and avoid using sensitive or private images. Be careful with callback_url: if you supply a callback endpoint, ensure it is your controlled, HTTPS endpoint to avoid exfiltration. If possible, ask the publisher to update the registry metadata to declare KEEVX_API_KEY (and provide provenance) before trusting the skill. If you can't verify the publisher, treat it as higher risk and test with throwaway credentials and non-sensitive content first.

Like a lobster shell, security has layers — review code before you run it.

latestvk970q5yh0g7n6zjb3v9kpsxbm5833tkv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments