Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
keevx-video-translate
v1.0.0Translate videos into a specified target language using the Keevx API. Supports audio-only translation, subtitle generation, and dynamic duration adjustment....
⭐ 6· 145·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes exactly the expected capabilities for a video-translation adapter to the Keevx API (upload local files, submit translation jobs, poll status). However the registry metadata claims no required environment variables or credentials even though the instructions explicitly require KEEVX_API_KEY — that mismatch is suspicious but the requested API key itself is coherent with the stated purpose.
Instruction Scope
Runtime instructions direct the agent to read local file paths and perform multipart uploads of local video files, submit tasks, and then immediately begin polling the external API until completion. Continuous polling and file uploads expand the agent's runtime actions beyond a single request/response and increase network activity and potential data exposure; the instructions also mandate showing a message and resuming polling on later user requests.
Install Mechanism
This is an instruction-only skill with no install spec and no code to write to disk, which minimizes installation risk.
Credentials
The SKILL.md requires a secret named KEEVX_API_KEY for Authorization and upload token use, but the registry metadata lists no required environment variables. Requiring a bearer token is reasonable for a third-party API, but the metadata/manifest omission is an inconsistency that should be resolved before trusting the skill.
Persistence & Privilege
always is false and the skill is user-invocable (normal). However, because the instructions ask the agent to poll the remote API until job completion and the platform allows autonomous invocation by default, the skill can produce sustained outbound network activity when invoked — this increases blast radius compared to a single-shot action.
What to consider before installing
Before installing or using this skill: (1) be aware the SKILL.md requires you to provide KEEVX_API_KEY even though the registry metadata omitted it — only proceed if you trust Keevx and understand the API key's scope. (2) The skill will upload any local video files you point it at to Keevx storage; do not upload sensitive or private videos unless you’ve checked Keevx’s privacy/data-retention policy. (3) The agent will poll the external API repeatedly until the translation finishes — expect sustained network requests and possible charges/rate limits. (4) If you provide a callback_url, the external service will POST task results to that URL — ensure that endpoint is trusted. (5) Because the skill source and homepage are unknown, prefer creating a dedicated, limited-scope API key for testing and verify the provider independently before using it with sensitive data. If possible, ask the skill author/maintainer to fix the manifest to declare KEEVX_API_KEY and to document polling behavior and data retention.Like a lobster shell, security has layers — review code before you run it.
latestvk975w738rt4g8edn54jee6kgqn83423c
License
MIT-0
Free to use, modify, and redistribute. No attribution required.