ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alicloud Ai Video Wan R2v

v1.0.1

Generate reference-based videos with Alibaba Cloud Model Studio Wan R2V models (wan2.6-r2v-flash, wan2.6-r2v). Use when creating multi-shot videos from refer...

0· 687·4 current·4 all-time
by@cinience
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The stated purpose (Alibaba Cloud Wan R2V reference-to-video generation) matches the included helper script and references to Alibaba docs; requesting an SDK/API key is coherent with that purpose. However, the registry metadata declares no required environment variables or primary credential while the SKILL.md explicitly requires a DASHSCOPE_API_KEY or credentials in ~/.alibabacloud/credentials — an inconsistency that should be resolved.
!
Instruction Scope
The SKILL.md instructs to install dashscope, set DASHSCOPE_API_KEY, prepare requests, and save outputs — which is within the claimed scope. However, there are multiple practical inconsistencies: the validation command references a path (skills/ai/video/alicloud-ai-video-wan-r2v/scripts/prepare_r2v_request.py) that does not match the provided script path, the expected validation/output directories differ (SKILL.md uses output/alicloud-ai-video-wan-r2v but the script writes to output/ai-video-wan-r2v), and the validation step expects a validate.txt file that the script will not produce. These make the runtime behavior unclear and may cause accidental data placement or failure.
Install Mechanism
There is no formal install spec (instruction-only), which is low-risk for packaging. SKILL.md tells users to create a venv and pip install dashscope — a reasonable, standard approach. The package source (dashscope) should be verified (official PyPI/project) before installation. No remote download/extract behavior is present in the skill itself.
!
Credentials
The skill's instructions require a DASHSCOPE_API_KEY or entries in ~/.alibabacloud/credentials, which is proportional to calling Alibaba APIs, but the skill metadata does not declare these environment/credential requirements. Requiring an API key without declaring it in metadata is an incoherence that could lead to unexpected secret exposure. The skill does not request unrelated credentials, but the omission in metadata reduces transparency.
Persistence & Privilege
The skill is instruction-only with no install spec and always:false. It does not request persistent system-wide configuration changes or special agent privileges. Autonomous invocation is allowed (platform default) but not combined with other high-risk factors here.
What to consider before installing
This skill mostly does what it says (prepare R2V requests for Alibaba Model Studio) but has practical inconsistencies you should resolve before trusting it with real credentials or production data. Specifically: - Do not assume metadata: SKILL.md requires DASHSCOPE_API_KEY or ~/.alibabacloud/credentials, but the registry metadata lists no required env vars — verify and provide credentials only after confirming the source. - Validate paths: the SKILL.md validation command references different paths and output directories than the included script; test the script in an isolated environment to confirm where files will be written and adjust the SKILL.md or script accordingly. - Inspect dashscope: verify the dashscope package origin (official docs or PyPI project) before pip installing and prefer creating a disposable virtual environment. - Sensitive-data caution: only provide API keys or credentials in a controlled environment (not shared terminals), and consider using a least-privilege key if possible. If you cannot confirm the author's identity or fix the path/metadata mismatches, run this skill in an isolated VM/container or avoid installing it. If you plan to use it, ask the publisher to correct the declared requirements and file paths so the behavior is transparent.

Like a lobster shell, security has layers — review code before you run it.

latestvk97az9xmt8cty4c69jq407jjvd82p8sa

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments