ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Hailuo Video

v1.0.0

Generate AI videos with Hailuo (MiniMax) via AceDataCloud API. Use when creating videos from text descriptions or animating images into video. Supports text-...

0· 73·0 current·0 all-time
by@germey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
SKILL.md describes a straightforward integration with AceDataCloud's Hailuo (MiniMax) API (text→video and image→video). The actions, endpoints, and parameters in the instructions match the described purpose. However, the registry metadata claims no required environment variables while the SKILL.md explicitly says an ACEDATACLOUD_API_TOKEN is required — a metadata inconsistency.
Instruction Scope
Runtime instructions are limited to making HTTP POSTs to https://api.acedata.cloud/hailuo/videos and a task-polling endpoint — no file system reads or unrelated environment access are requested in the SKILL.md. The examples reference external image URLs and optional callback URLs (which can cause data to be sent to third parties), which is within expected scope but worth noting.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk and no third-party packages are pulled in. That minimizes installation risk.
!
Credentials
The SKILL.md requires ACEDATACLOUD_API_TOKEN (appropriate for a remote API), but the registry metadata lists no required env vars or primary credential — this mismatch is concerning because a secret is needed but not declared in registry data. The required credential itself is proportionate to the stated purpose, but the metadata omission and lack of provenance (unknown source, no homepage) increase risk.
Persistence & Privilege
The skill does not request always:true and has no install actions that modify other skills or system settings. Default autonomous invocation is permitted (platform normal), so there are no elevated persistence or privilege requests in the bundle.
Scan Findings in Context
[no_regex_findings] expected: The regex scanner had no code files to analyze; this is expected because the skill is instruction-only (SKILL.md). Absence of findings is not evidence of safety — the runtime instructions themselves are the relevant surface.
What to consider before installing
This skill appears to be a simple wrapper around AceDataCloud's Hailuo video API and the examples are consistent with that purpose, but the package metadata omitted the required ACEDATACLOUD_API_TOKEN. Before installing or using it: (1) verify the skill's source and trustworthiness (there's no homepage or publisher info), (2) confirm you are willing to provide ACEDATACLOUD_API_TOKEN and that the token's permissions and billing are acceptable, (3) avoid passing private/internal image URLs (the API will fetch external URLs and could leak private resources), (4) be cautious with callback_url values (they can send generated content to third parties), and (5) ask the publisher to update the registry metadata to declare the required env var and provide a homepage or documentation so you can audit the service. If the developer cannot supply provenance or correct the metadata, treat the skill as higher-risk and consider not installing it.

Like a lobster shell, security has layers — review code before you run it.

latestvk979fj6363qgra8wqb3g5kxew183dr0r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments