Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
UGC Factory
v1.0.0AI-powered video and content generation pipeline with script writing, TikTok automation, YouTube analysis, media library, avatars, and voice synthesis — buil...
⭐ 0· 30·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The declared capability (generate scripts, fetch B-roll, produce videos, analyze & schedule TikTok/YouTube posts) is consistent with a UGC factory. However, several capabilities normally require external credentials (TikTok/YouTube accounts, Pexels/Pixabay API keys, or a payment wallet) yet the skill declares no required environment variables, config paths, or primary credential. That omission is unexpected and should be explained (e.g., does the gateway hold connectors/credentials?).
Instruction Scope
SKILL.md instructs the agent to call an external gateway and to perform actions that can alter external services (create posts, schedule content) and perform sensitive operations (strip-watermark). The instructions do not document how to obtain/authorize the required platform credentials, how to handle user consent, or how payment signing is performed. The 'send a request without payment to receive pricing info in the 402 response' hints at an on-chain payment flow but gives no guidance for safe wallet handling. Lack of explicit guidance grants the agent broad, ambiguous discretion.
Install Mechanism
This is an instruction-only skill with no install steps or code—low technical install risk. But it relies on a single external gateway URL (https://gateway.mcfagentic.com), an unknown third-party endpoint; network calls to that endpoint are the primary runtime action and represent an external trust dependency that should be validated.
Credentials
No environment variables or credentials are declared, yet the skill's features typically require: (a) access tokens/OAuth for social platforms, (b) API keys for media providers, and (c) a cryptographic signing mechanism or wallet to perform x402 (USDC on Base) payments. The absence of declared credential requirements is disproportionate and unexplained. That makes it unclear whether the gateway stores/uses its own credentials (and therefore has broad access) or expects the agent/user to provide secrets at runtime.
Persistence & Privilege
The skill does not request 'always: true' or any persistent installation; autonomous invocation is allowed but that's the platform default. There's no indication it modifies other skills or system settings. Nevertheless, because the skill can perform external actions (post/schedule content) the combination of autonomous invocation + the unclear credential/payment model increases operational risk and should be considered by the user.
What to consider before installing
This skill could do what it says, but important details are missing. Before installing or invoking it: (1) Ask the publisher how authentication works — who holds OAuth/API keys and how user accounts are authorized? (2) Ask how x402 payments are signed and whether you'll need to provide private keys or approve transactions; never paste private keys into prompts. (3) Confirm legal/terms-of-service issues (e.g., watermark removal, reposting YouTube content). (4) Prefer OAuth flows or delegated tokens rather than handing secrets to the skill/gateway. (5) Test in a sandbox account, watch for unexpected network requests or charges, and require documentation of the gateway's operator and privacy/security practices.Like a lobster shell, security has layers — review code before you run it.
latestvk97d4qqaj269sgdwmgth3v3b99842msa
License
MIT-0
Free to use, modify, and redistribute. No attribution required.