Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Video App
v1.2.0Automation skill for VibeClip - AI Music Video Gen.
⭐ 0· 445·0 current·0 all-time
byGoroni@gblockchainnetwork
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, SKILL.md, and index.js are coherent: the app uses Ollama to generate scene descriptions and FFmpeg to render a photo+audio video, and the package.json dependencies (express, multer, ollama, uuid) match that purpose. Minor inconsistency: SKILL.md advertises 'Revenue SaaS / ETH payments' but the code has no payment logic; SKILL.md also mentions VPS deploy/readiness but does not include explicit npm-install instructions (package.json exists).
Instruction Scope
SKILL.md instructs pulling Ollama models and running the Node app; the runtime index.js only reads uploaded audio/photo + prompt, calls local Ollama, and spawns ffmpeg to produce an MP4. There is no hidden file reading, credential access, or external endpoints in the code. Operational/security note: the app accepts unauthenticated uploads, writes files to uploads/ and outputs/, and serves outputs publicly (no auth, no rate limiting) — this increases exposure (abuse, storage bloat, hosting malicious files) but is consistent with a simple prototype.
Install Mechanism
No packaged install spec was present in the registry metadata, but SKILL.md includes a metadata.install entry that runs 'ollama pull' to download models — that is a reasonable source (ollama) rather than a personal server. The package.json / package-lock indicate normal npm dependencies; however SKILL.md does not explicitly instruct 'npm install' which is a minor operational mismatch. No high-risk arbitrary downloads or URL shorteners detected.
Credentials
The skill requests no environment variables or credentials and the code does not attempt to read secrets or external config. Using local Ollama and FFmpeg requires those binaries to be available but no sensitive access is requested.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide configs, and runs as a standalone web app on port 3000. Note: exposing a web server on 0.0.0.0 is expected for this app but has normal hosting risks (publicly accessible uploads/outputs).
Assessment
This skill appears to do what it claims (generate short music videos using a local Ollama model + FFmpeg). Before installing or running it: 1) Ensure you have node, Ollama, and FFmpeg installed and trust the local Ollama models you pull. 2) Run 'npm install' in the skill directory so dependencies are installed (SKILL.md doesn't list this step). 3) If you deploy to a VPS, protect the service (authentication, HTTPS, firewall, rate limits) because the app accepts unauthenticated uploads and serves outputs publicly. 4) The SKILL.md mentions payments/ETH but there is no payment code — treat that as marketing only. 5) Consider disk-quota and cleanup policies (uploads/ and outputs/ are written to disk). If you need the skill to handle sensitive inputs or be internet-facing, add access controls and monitoring first.Like a lobster shell, security has layers — review code before you run it.
latestvk976141f7v6cb145d3sst9fpah81qcf1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.