Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
llm-video-generator
v1.0.1Generate videos from text descriptions using ZhipuAI CogVideoX-3 model. Supports text-to-video, image-to-video, and first/last frame-to-video generation. Aut...
⭐ 0· 204·0 current·0 all-time
by@baokui
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to be an instruction-only text/image->video generator, which is coherent with the provided scripts, but the declared registry metadata shows no required environment variables or binaries while the code clearly requires a ZHIPU_API_KEY, network access, and external tools (ffmpeg/ffprobe). The SKILL.md and manifest omit these required credentials/tools — an inconsistent declaration.
Instruction Scope
Runtime instructions are narrowly focused on generating segments, reporting progress, and concatenating segments. However, SKILL.md and the scripts mandate using /opt/anaconda3/bin/python3 (no fallback) and call ffmpeg/ffprobe; the instructions also instruct converting local image files to base64 and sending them to the Zhipu API. That means if the agent is given a local file path, its contents will be read and uploaded to a remote service — this is expected for image inputs but should be explicit in the manifest/instructions.
Install Mechanism
There is no install spec (instruction-only), which reduces install-time risk. The package includes runnable scripts but does not declare dependencies (Python package 'zai' / Zhipu client) or system binaries. No remote download/install steps are present in the manifest.
Credentials
The code requires a ZHIPU_API_KEY (checked at runtime) and network access to the Zhipu service, but the registry metadata lists no required environment variables or primary credential. This omission is disproportionate: an API key is a high-sensitivity secret and should be declared and justified. Additionally, local files passed as image inputs are read, base64-encoded, and sent to the remote API — users must not pass sensitive local file paths unless they understand the upload.
Persistence & Privilege
The skill does not request persistent/always-on privileges, doesn't modify other skills or global agent configuration, and only writes task/result files in the configured output directory. Autonomous invocation is allowed (platform default) but not combined with excessive privileges.
What to consider before installing
This skill looks like a legitimate video-generation wrapper, but several important details are missing or inconsistent: (1) the code requires ZHIPU_API_KEY but the skill metadata does not declare any required credentials — confirm you must provide a Zhipu API key and only provide it to trusted skills/environments; (2) the scripts call ffmpeg and ffprobe and use a hard-coded Python interpreter (/opt/anaconda3/bin/python3) — ensure those binaries exist or edit the scripts to point to your environment; (3) any local image path you give will be read, base64-encoded, and uploaded to Zhipu's API (do not pass sensitive files); (4) the skill depends on a 'zai' Zhipu client library that is not declared — install and review that dependency before running. If you plan to use this skill, run it in a sandbox or isolated environment first, verify/patch the shebangs and paths, and ask the publisher to update the manifest to declare ZHIPU_API_KEY and required binaries/dependencies. If you cannot verify those points, treat the skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk97f3h11hrw2mzex97z6jdz70582tn6p
License
MIT-0
Free to use, modify, and redistribute. No attribution required.