Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
a2e.ai Full Platform
v2.1.0a2e.ai full API: Image Gen (Text2Image, NanoBanana, GPT Image, Flux 2), Video Gen (Image2Video with LoRA/FLF2V support, Video2Video, Kling 3.0, Wan 2.6, Sora...
⭐ 0· 35·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, description, SKILL.md, reference docs, and script all align with an a2e.ai image/video/voice API helper; requesting A2E_KEY is appropriate. Minor mismatch: the provided CLI script uses common binaries (curl, jq, date) but the skill's metadata declares no required binaries. This is an incoherence (not necessarily malicious) that could cause runtime failures.
Instruction Scope
SKILL.md explicitly instructs the agent to run `source ~/.openclaw/workspace/.env` to load A2E_KEY. Sourcing the entire .env file can expose any other environment variables or secrets present there (not just the declared A2E_KEY). The script performs many network calls (POST/GET to video.a2e.ai endpoints) which is expected for this API, but the explicit sourcing of a full env file is a scope expansion and risk for secret exposure.
Install Mechanism
There is no install spec (instruction-only), so nothing is downloaded or written during install — good. The included scripts will be executed if used. The script relies on jq and curl; the skill metadata does not declare these required binaries, creating a functional mismatch but not a direct supply-chain red flag.
Credentials
The only declared credential is A2E_KEY, which is proportional to the stated functionality. However, the runtime instruction to source ~/.openclaw/workspace/.env may load additional environment variables without declaring them, potentially exposing unrelated secrets. No other unrelated credentials are listed in requires.env.
Persistence & Privilege
The skill does not request always:true and uses default invocation permissions. It does not attempt to modify other skills or system-wide config. Autonomous invocation is allowed by default (disable-model-invocation=false) — this is normal for skills, and here it is not combined with additional dangerous privileges.
What to consider before installing
This skill is coherent with its stated purpose (it wraps the a2e.ai API) and only needs an A2E API key — but take these precautions before installing/using it:
- Review ~/.openclaw/workspace/.env: the SKILL.md tells the agent to source that file. If that file contains any other secrets (AWS keys, tokens, etc.), sourcing it will load them into the agent environment and could unintentionally expose them. Prefer to store only A2E_KEY in the file or change the instructions to load A2E_KEY explicitly.
- Verify local tool availability: the included script uses curl and jq. Ensure those are present and from trusted sources; the skill metadata does not list them as required binaries.
- Understand privacy/legal implications: features like face-swap, voice-clone, and avatar generation upload images/audio to a remote service. Make sure you have rights/consent for any media you process.
- Limit the A2E_KEY scope and rotate it if possible: give the skill an API key with minimal permissions and short lifetime if the platform supports it, and rotate the key after initial testing.
- Monitor network activity and API usage (coins/credits): because the agent can call the API, unexpected autonomous calls could consume credits if the key is compromised or the skill is misused.
If you want the skill but worry about the .env sourcing, ask the publisher (or modify the script locally) so the agent only reads the single A2E_KEY value instead of sourcing the whole file.Like a lobster shell, security has layers — review code before you run it.
latestvk97frq3te65pwkctt2ka2wyg9183yf1z
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎨 Clawdis
EnvA2E_KEY
Primary envA2E_KEY