ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Luma Video

v1.0.0

Generate AI videos with Luma Dream Machine via AceDataCloud API. Use when creating videos from text prompts, generating videos from reference images, extendi...

0· 75·0 current·0 all-time
by@germey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md clearly requires an ACEDATACLOUD_API_TOKEN to call https://api.acedata.cloud, which is coherent with the stated purpose. However, the registry metadata lists no required environment variables or primary credential — that mismatch is an integrity problem (metadata understates what will be needed).
Instruction Scope
Runtime instructions are limited to calling the AceDataCloud Luma endpoints (curl POSTs) and optionally installing/using a separate mcp-luma helper. The doc does not instruct reading unrelated files, broad system state, or other env vars. It does expect public image URLs for image-to-video workflows.
Install Mechanism
There is no install spec and no code files (lowest disk-write risk). The doc suggests optionally running `pip install mcp-luma` or using a hosted MCP server — installing a third-party pip package introduces typical supply-chain risk and should be reviewed, but the skill itself does not auto-install anything.
!
Credentials
The SKILL.md requires a single API token (ACEDATACLOUD_API_TOKEN), which is proportional for a cloud API integration. The concern is that the registry metadata incorrectly lists no required env vars or primary credential — this inconsistency can hide the fact that a secret is needed and transmitted to api.acedata.cloud.
Persistence & Privilege
The skill is instruction-only, does not request persistent installation, and 'always' is false. It does allow normal autonomous invocation (platform default), but there is no indication it modifies other skills or system settings.
What to consider before installing
This skill appears to be a straightforward set of instructions for calling AceDataCloud's Luma API, but there are two things to check before you use it: (1) the SKILL.md requires an ACEDATACLOUD_API_TOKEN even though the registry metadata omits that — ensure you only supply a token you obtained from a trusted AceDataCloud source and that the token has least privilege; (2) the skill is from an unknown/unnamed source and references a domain (api.acedata.cloud) and an optional pip package (mcp-luma) — verify the vendor, review the pip package code or its official repository, and confirm pricing/privacy terms. Also be aware that image-to-video mode requires publicly accessible image URLs (which can expose those images), and any API calls will transmit your prompt and referenced URLs to the AceDataCloud service. If you cannot verify the publisher or the package, treat the token as sensitive and avoid reuse of high-privilege credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk973mewqcp73mmgb6mkz3er6tn83dsxa

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments