ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Skills

v0.1.0

Build and execute skills.video video generation REST requests from OpenAPI specs. Use when user needs to create, debug, or document video generation calls on...

1· 65·0 current·0 all-time
by@chuyun
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description (building and executing skills.video generation calls) aligns with the included scripts and references (create SSE requests, poll results, inspect OpenAPI). Network targets are limited to the documented platform (open.skills.video). However, the registry metadata lists no required credentials while the runtime clearly depends on SKILLS_VIDEO_API_KEY — a mismatch between claimed requirements and actual needs.
Instruction Scope
SKILL.md and the scripts keep to the stated scope: inspecting OpenAPI files, building payloads, POSTing to SSE endpoints, and falling back to polling. Instructions do not request unrelated system files or arbitrary external endpoints beyond skills.video. They do instruct running the included Python scripts and reading user-supplied OpenAPI/docs files.
Install Mechanism
No install spec (instruction-only/embedded scripts) — low installation risk. All behavior is in plain Python scripts bundled with the skill (no downloads or archive extraction).
!
Credentials
The runtime expects and reads SKILLS_VIDEO_API_KEY (scripts and examples use it for Authorization), but the skill metadata declares no required env vars or primary credential. Requesting that API key is proportionate to the skill's purpose, but the omission in metadata is a coherence/visibility problem: users may not realize they must provide a bearer key or how it will be used.
Persistence & Privilege
always:false and no filesystem/config paths requested. The skill does not appear to modify other skills or system-wide settings. It runs subprocesses only to invoke helper scripts and performs network I/O to the expected service.
What to consider before installing
This package contains Python helper scripts that will call open.skills.video endpoints and require an API key provided as SKILLS_VIDEO_API_KEY. Before installing or giving the agent this skill: (1) understand that the skill will make network calls to https://open.skills.video and will use whatever API key you set; (2) do not provide unrelated credentials — only a dedicated skills.video API key is needed; (3) prefer a least-privilege API key (scoped/limited if the platform supports it) and avoid exposing high-privilege or multi-service keys; (4) inspect the bundled scripts yourself (they are plain Python) if you have security concerns; and (5) ask the skill author/registry maintainer to update the metadata to declare SKILLS_VIDEO_API_KEY as a required credential so the requirement is visible in the registry.

Like a lobster shell, security has layers — review code before you run it.

latestvk97frkvs3p4jhnfc7v1yy11czh839px7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments