ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Viral Video Studio

v1.0.0

Full short-form video content creation workflow for TikTok, Instagram Reels, and YouTube Shorts: analyze a reference viral video URL, reverse-engineer its vi...

0· 92·0 current·0 all-time
byeddie Luong@eddieluong
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill claims to analyze viral short videos and produce concepts/scripts/prompts. The included shell script (analyze_tiktok.sh) and SKILL.md steps explicitly call yt-dlp and ffmpeg to download and extract frames, and reference image- and video-generation services to create assets — these are consistent with the stated workflow.
Instruction Scope
The instructions tell the agent to download user-supplied TikTok URLs (yt-dlp) and extract frames to /tmp, then use the platform 'image' tool for analysis and generate prompts for external image/video services. This stays within the claimed purpose, but has privacy/legal implications: it will fetch potentially copyrighted creator content into /tmp and may send extracted frames to external analysis/generation endpoints. The SKILL.md does not instruct reading unrelated system files or environment variables.
Install Mechanism
No install spec is provided (instruction-only plus one helper script). No network downloads or archive extractions are embedded in an install step. The runtime assumes external tools (yt-dlp, ffmpeg, python3) are present on PATH; that is expected for the described operations.
Credentials
The skill does not declare or require any environment variables, credentials, or config paths. It references third-party services (Kling AI, Hailuo, DALL‑E) that the user may choose to sign up for, but the skill does not request secrets or tokens itself.
Persistence & Privilege
The skill is not forced-always, does not request autonomous privileges beyond the platform default, and does not modify other skills or system-wide settings. It writes outputs to project assets and /tmp as part of normal operation.
Assessment
This skill appears coherent for building short-form video workflows, but consider the following before installing: (1) It instructs the agent to run yt-dlp and ffmpeg to download and process a TikTok URL and save frames to /tmp — make sure you have permission to download/repurpose that content and check legal/copyright terms for the source and for any platform you publish to. (2) The workflow expects external AI services (DALL·E, Kling AI, Hailuo, etc.); you will need accounts/credentials for those and any uploaded images/character references will be shared with those services. (3) Ensure yt-dlp/ffmpeg/python3 are available on the host; the script assumes those binaries. (4) The skill contains monetization/affiliate guidance — review any affiliate links or claims and be cautious about sharing personal account credentials. If you want a higher-assurance review, provide any additional hidden files or a list of external endpoints the skill will call at runtime (e.g., specific API URLs/SDKs) so I can check for unexpected network exfiltration or requests for unrelated secrets.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ccxd99nabbq0t6e3mb791b5839cqr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments