ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Media Gen Vision Video

v1.0.0

Generate and analyze images, and generate videos using OpenClaw's preferred Google media workflows. Use when the user asks to create, edit, inspect, compare,...

0· 50·0 current·0 all-time
by@danielwpp
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md repeatedly instructs using Google-native models (Nano Banana 2 / Gemini / Veo 3.1) and 'official Gemini API workflow', but the skill declares no required environment variables, primary credential, or config paths to supply Google API credentials. If the skill truly needs direct access to Google media APIs, it should request credentials or a connector; the absence is inconsistent.
Instruction Scope
Runtime instructions require generating, saving, and delivering binary media files (images/videos) and say to 'save the final file with a stable filename' and 'send the generated asset directly into the conversation.' Those are reasonable for the stated purpose but imply file system and attachment APIs. The skill does not specify where to store files, how to obtain user-supplied reference images, or what channels are used to deliver assets — this ambiguity could lead to broader access than expected.
Install Mechanism
Instruction-only skill with no install spec or remote downloads. This is low-risk from an installation perspective because no new code is written to disk by an installer.
!
Credentials
No env vars or credentials are declared, yet the workflow clearly needs access to Google APIs (which normally require API keys or OAuth tokens). This omission is disproportionate: either the platform must supply a connector implicitly (which should be documented) or the skill is failing to declare needed secrets.
Persistence & Privilege
always is false and there are no install hooks or requests to modify other skills or global settings. The skill does request the ability to save and send files, which is normal for media workflows and does not itself indicate elevated persistent privilege.
What to consider before installing
This skill's instructions clearly expect access to Google media models and to save/send media files, but it doesn't declare any credentials or config paths. Before installing, ask the publisher or platform: (1) How are Google/Gemini/Veo credentials supplied (API key, OAuth connector, or built-in platform integration)? (2) Where will generated files be stored and who can access them? (3) Will the skill run autonomously and could it upload user images to external services? If the platform supplies a documented, least-privilege Google connector (or the skill explicitly lists required env vars like GOOGLE_API_KEY/GEMINI_TOKEN and explains storage locations), the mismatch is resolved and the skill is more acceptable. Without that information, treat the skill as suspicious because it asks the agent to do things that normally require credentials and file access but does not declare them. Provide these answers or update the skill metadata (required env vars/config paths) before enabling it in sensitive environments.

Like a lobster shell, security has layers — review code before you run it.

latestvk974sq882dtb51fpvbyvm9k6qn83rcwa

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments