Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
文生图视频生成
v1.0.0根据用户提示词,实现文生图、文生视频、图生视频,制作的素材用于地震应急数字化演练。
⭐ 0· 124·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to generate images/videos for emergency drills and its steps match that goal. However, it requires uploading local asset images to Alibaba Cloud OSS and invoking a third‑party aggregation API (api.wuyinkeji.com) — actions that normally require credentials and explicit configuration but the skill declares no required env vars or credentials. This is an incoherence between claimed capabilities and declared requirements.
Instruction Scope
Runtime instructions tell the agent to read a local assets directory and a spreadsheet ('防汛脚本20260309.xlsx'), randomly pick a local image, upload it to OSS, then call external generation and status APIs. Those instructions involve reading local files and transmitting them to external services, but do not document where the spreadsheet is stored, how to authenticate to OSS or the aggregation API, nor what data is sent/stored by the external service. The scope includes data exfiltration (upload) and use of unspecified external endpoints.
Install Mechanism
Instruction-only skill with no install spec or bundled code — lowest install risk. The scanner had no code files to analyze.
Credentials
The instructions clearly require credentials (Alibaba OSS access, likely an API key/token for the aggregation platform) but the skill declares no required environment variables, primary credential, or config paths. That omission is disproportionate and makes it ambiguous how authentication will occur; it also hides the fact that local assets will be sent to external services.
Persistence & Privilege
The skill does not request always:true or any persistent/system-wide privileges and is user-invocable only. It writes outputs to a workspace path under /home/xihu/.openclaw/workspace/output which is self-contained and expected for this kind of task.
What to consider before installing
Before installing, note these risks and mitigations: (1) The skill uploads local images and calls a third‑party API but does not declare how it will authenticate — verify where credentials come from and prefer short‑lived, least‑privilege keys if needed. (2) Confirm the exact external endpoint(s), review their privacy/data‑retention policies, and ensure you consent to sending any local images (they may contain sensitive data). (3) Ask the author to document required env vars (OSS keys, aggregation API key), the location of the referenced spreadsheet, and to clarify what data is transmitted/stored. (4) If you must run it, do so in a sandboxed environment with minimal privileges and limit access to only the assets you want to share. (5) If these clarifications are not provided, treat the skill as potentially exfiltrating local files and avoid using sensitive images or credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97anm2shaqvjbk99b4mhjc9318332qz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.