ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Image Skills

v0.1.0

Build and execute skills.video image generation REST requests from OpenAPI specs. Use when user needs to create, debug, or document image generation calls on...

1· 64·0 current·0 all-time
by@chuyun
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (image-generation for open.skills.video) aligns with included scripts that inspect OpenAPI, create SSE requests, and poll results. However, the registry metadata declares no required environment variables or primary credential even though the runtime relies on SKILLS_VIDEO_API_KEY for authenticated calls. This is an internal inconsistency (likely an omission) and reduces transparency.
Instruction Scope
SKILL.md instructs the agent to read OpenAPI/docs JSON files, build payloads from schema, open SSE streams to skills.video endpoints, and fall back to polling. The scripts read only user-specified OpenAPI/docs files and use the SKILLS_VIDEO_API_KEY for network requests; they do not attempt to read other system-wide secrets or unrelated paths. The scope of actions in the instructions is consistent with the stated purpose.
Install Mechanism
There is no install spec (instruction-only install), and the package includes only local Python scripts and docs. No remote downloads or archive extraction are performed. This is low-risk from an installation perspective.
!
Credentials
The code and instructions require an API key (SKILLS_VIDEO_API_KEY) to call https://open.skills.video/api/v1, but the registry metadata lists no required env vars or primary credential. Requesting a bearer API key is proportionate for this service, but the metadata omission is a transparency/consistency problem. Also note the scripts will use whatever value is in SKILLS_VIDEO_API_KEY (if present) when making network calls; do not set a credential you don't trust being used for these endpoints. No other unrelated secrets are requested by the code.
Persistence & Privilege
The skill does not request permanent/always inclusion (always:false) and does not modify other skills or global agent settings. It runs scripts on demand and relies on environment variables and local files, which is appropriate for its purpose.
What to consider before installing
This skill appears to implement the advertised image-generation workflow for open.skills.video and the included scripts are readable Python. Before installing: (1) Be aware you will need to provide SKILLS_VIDEO_API_KEY in your environment — the registry metadata did not declare this, so confirm you trust the author/service before exporting any API key. (2) Review any OpenAPI/docs.json files you pass to the scripts; the tool will read those files and send constructed payloads to the open.skills.video endpoints. (3) Avoid including secrets in payload fields (prompts or extra parameters) because the scripts will POST them to the remote service. (4) If you need stronger assurance, ask the publisher to update registry metadata to declare SKILLS_VIDEO_API_KEY as a required credential and to provide a provenance/homepage; absence of those increases risk. If you don't trust skills.video or the publisher, do not supply credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk9760y497kjbf7qefs717ssxjx839jhz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments