ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

WaveSpeedAI Wan 2.6 Video Generation

v1.0.0

Generate videos using Alibaba's Wan 2.6 model via WaveSpeed AI. Supports text-to-video and image-to-video generation with up to 15 seconds duration at 720p o...

0· 379·0 current·0 all-time
byC@chengzeyi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md clearly documents WaveSpeed AI / Alibaba Wan-2.6 text-to-video and image-to-video usage and parameters, which is consistent with the name/description. However the registry metadata lists no required credentials while the runtime docs instruct users to set WAVESPEED_API_KEY; the skill source/homepage is unknown. This metadata/instruction mismatch is an inconsistency.
!
Instruction Scope
Runtime instructions tell the agent to use wavespeed.run and wavespeed.upload and show examples using local file paths (e.g. wavespeed.upload('/path/to/photo.png')). That implies the agent may be expected to read local files and upload them. The instructions otherwise call out only the intended external endpoint (wavespeed.ai), but use of local file reads/uploads increases the sensitivity of actions the agent might take.
Install Mechanism
No install spec and no code files — instruction-only — so nothing is written or installed on disk by the skill itself. This lowers technical installation risk.
!
Credentials
The SKILL.md explicitly shows exporting WAVESPEED_API_KEY, but the skill manifest declares no required environment variables or primary credential. Requesting a single API key is reasonable for a hosted generation service, but the omission in the manifest is an incoherence that should be corrected. No other credentials are requested.
Persistence & Privilege
The skill is not marked always:true, does not include install behavior, and does not request persistent system-level privileges. It does not attempt to modify other skills or global agent configuration in the provided instructions.
What to consider before installing
This skill appears to do what its description says (video generation via WaveSpeed AI), but there are two issues to consider before installing: - Manifest mismatch: The SKILL.md expects a WAVESPEED_API_KEY, yet the registry metadata lists no required environment variables or primary credential. Ask the publisher to update the manifest so you know what secrets are needed. - Local-file uploads: Examples show uploading local files (e.g., wavespeed.upload('/path/to/photo.png')). If you let the agent run autonomously, it could read and upload local files you point it to. Avoid giving it access to sensitive files and only upload content you are comfortable sharing with the external service. - Origin unknown: There's no homepage and the source is unknown. Prefer skills from known authors or that include a homepage/repo so you can verify endpoints and client libraries. - Operational advice: If you proceed, use a scoped API key with minimal privileges, avoid using secrets used elsewhere, and review any files you plan to upload. Request the author to (1) add WAVESPEED_API_KEY to the declared required env vars, (2) provide a homepage/repo link, and (3) clarify any data-retention or privacy policies for uploaded media.

Like a lobster shell, security has layers — review code before you run it.

latestvk971109xjzkcz03camqqyqzyq1824y5k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments