ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Test Skill

v0.0.1

Headless creative production studio for AI agents. Generate images, edit photos, create videos, produce voiceover/music/SFX, and assemble polished output via...

0· 48·0 current·0 all-time
by@cohnen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The high-level purpose (images, video, audio) matches the providers and endpoints listed in SKILL.md, but some provider claims look odd (e.g., Freepik listed as covering voice/music/SFX) and the skill advertises many capabilities beyond what the single declared required env var (FREEPIK_API_KEY) implies.
!
Instruction Scope
SKILL.md instructs the agent to call many external APIs, run node/npm/npx, ffmpeg, python scripts, and use 'scripts/*' and 'references/*.md' files — yet the skill bundle contains only SKILL.md. The instructions permit reading and writing files and network calls to many endpoints, which is expected for a media pipeline but also broad; the absence of the referenced scripts/docs and the explicit allowed-tools list is a coherence gap.
Install Mechanism
No install spec (instruction-only) — lowest installer risk. However, because SKILL.md expects various CLIs and scripts to exist on the host, an implicit install of binaries (node, ffmpeg, etc.) is effectively required but not provided by the skill.
Credentials
The registry requires only FREEPIK_API_KEY, but SKILL.md documents use of multiple provider keys (FAL_API_KEY, GOOGLE_API_KEY, OPENROUTER_API_KEY, ELEVENLABS_API_KEY). Requiring only Freepik while supporting many optional provider keys is reasonable, but the skill's claim that Freepik alone 'covers all capabilities' (including voice/music/SFX) is questionable and should be validated before providing other provider credentials.
Persistence & Privilege
The skill does not request always:true or access to system config paths. It allows autonomous invocation (platform default) but does not request elevated persistent privileges in the manifest.
What to consider before installing
This skill is instruction-only but its runtime docs expect many CLIs (node, npm/npx, ffmpeg, python3), local scripts (scripts/*), and reference files that are not included in the bundle — confirm these tools and files exist in your environment before use. Verify the exact provider capabilities (e.g., whether Freepik actually provides TTS/music) and only supply API keys that you trust and are necessary; do not paste broad-scoped credentials (like a general Google API key) unless required. Because the skill will perform network calls to multiple third-party endpoints, review the homepage and any external code repositories, and prefer creating limited-scope API keys for each provider. If you need stronger assurance, ask the publisher for the missing scripts/reference files and an explicit install plan, or run the skill in an isolated environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk974b6mhe9nhhfytnxtcsd4tn983mnvctestvk974b6mhe9nhhfytnxtcsd4tn983mnvc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
Any bincurl, jq
EnvFREEPIK_API_KEY
Primary envFREEPIK_API_KEY

Comments