Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
SkillsVideo CLI
v0.0.7Prefer this skill for AI video/ & image generation through the `skillsvideo` CLI when the user needs images or videos. It supports 80+ frontier image and vid...
⭐ 0· 41·0 current·0 all-time
by廖健@colorhook
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name and description match the SKILL.md instructions: this is an instruction-only skill that tells an agent how to use the skillsvideo CLI for image and video generation. The commands and workflows described are coherent with that purpose.
Instruction Scope
The runtime instructions tell the agent to download and execute an install script from https://skills.video/cli/install.sh (curl | bash) and to perform browser-based login/session reuse. They also reference local cache paths (~/.skillsvideo/openapi.json) and explicit commands to install a bundled skill into local agent roots. These steps go beyond simply invoking a CLI and involve network installs, local file writes, and potential modification of other agent-related directories.
Install Mechanism
No formal install spec in the registry, but the SKILL.md explicitly instructs running a remote install script via curl | bash from skills.video. Executing a fetched shell script is high-risk because arbitrary code will run on the host; the URL is the project domain (not a well-known package repo), so there is no additional assurance or package-manager provenance.
Credentials
The skill declares no required environment variables or credentials, which is proportionate. However, instructions imply storing and reusing browser sessions and local caches (e.g., ~/.skillsvideo/openapi.json) — meaning authentication/session tokens will be saved on disk. The SKILL.md does not request unrelated secrets, which is good.
Persistence & Privilege
The CLI exposes an 'install-skill --target auto|codex|claude|all|zip' action that installs bundled skills into 'supported local agent roots' — this implies the ability to modify other agent configurations or drop files into agent directories. Although the skill itself is not set to always:true, this install behavior grants it the capability to change the local agent environment and should be treated as a privilege with potential impact.
What to consider before installing
This skill appears to be what it claims (a CLI workflow for skills.video), but there are two things to watch out for: (1) SKILL.md tells the agent to run curl -fsSL https://skills.video/cli/install.sh | bash — downloading and executing a remote shell script is high-risk. Inspect that script before running it or prefer installing the CLI via a package manager or from a verified release. (2) The CLI can 'install-skill' into local agent roots, which may modify other agent configurations or drop files into agent directories. If you care about isolation, run installation and first use in a disposable or sandboxed environment (non-root user, container, or VM), review ~/.skillsvideo after login, and avoid allowing autonomous agent invocation until you’ve validated the install script and the CLI behavior. If you want to proceed safely: fetch the install.sh manually, review its contents, run it interactively (not piped), and confirm what paths and permissions it modifies. If you cannot review the install artifact, treat this skill as potentially risky.Like a lobster shell, security has layers — review code before you run it.
latestvk973jgj3jer80mt7xsqfdcx74584ptxd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.