Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
group-director
v1.0.2create short videos from claw-prepared prompts for feishu or lark group chat scenarios. use when claw already has the chat context in its own memory, has alr...
⭐ 0· 117·0 current·0 all-time
byHeiMaoM@hei-maom
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description and code both implement a video-creation executor calling SenseAudio endpoints (create + poll) and returning a plain URL for Feishu/Lark. Requiring an API key for the provider is appropriate. However, the registry metadata (Requirements) incorrectly lists no required environment variables or primary credential while SKILL.md and the code require SENSEAUDIO_API_KEY; this mismatch is an incoherence that should be resolved before trusting the package metadata.
Instruction Scope
SKILL.md constrains the skill to only accept a final_video_prompt and an optional orientation, perform create+poll, and return a plain-text URL or error message. The code follows this: it does not read chat history, does not emit raw JSON to Feishu, and prints only task_id or video_url / plain error text. No unexpected file reads or external endpoints are referenced beyond the provider base URL.
Install Mechanism
There is no install spec (instruction-only style) which minimizes automated installation risk. However, the included Python scripts use the requests library and assume a Python runtime; the package does not declare this dependency or any setup instructions. That omission is a usability/security concern (missing dependency declaration), though not evidence of malicious intent.
Credentials
At runtime the skill only needs SENSEAUDIO_API_KEY (required) and an optional SENSEAUDIO_BASE_URL — both proportional to calling an external video API. The concern is the manifest/registry metadata claims no env vars are required (contradiction). Also SENSEAUDIO_BASE_URL can be overridden to point to any host, which is a valid feature for testing but should be noted as a potential avenue to redirect requests if an operator or environment variable is misconfigured or maliciously set.
Persistence & Privilege
The skill does not request elevated or persistent privileges, does not set always:true, and does not modify other skills or system settings. Autonomous invocation is allowed by default but that is normal; nothing in the package grants it unusual permanence or cross-skill access.
What to consider before installing
This skill appears to do what it says (create and poll SenseAudio video tasks) and the included code matches the SKILL.md rules. However: 1) the registry metadata incorrectly states no required environment variables while the code requires SENSEAUDIO_API_KEY — confirm the registry is updated or that you can provide the API key. 2) Ensure your agent/runtime provides Python and the requests library (the package does not declare dependencies). 3) Be careful with SENSEAUDIO_BASE_URL — only set it to a trusted provider endpoint. 4) If you plan to install this in a production agent, ask the maintainer to add a proper dependency/install spec and to correct the manifest so required credentials are explicit. If you cannot verify the owner or cannot supply the API key securely, do not enable the skill.Like a lobster shell, security has layers — review code before you run it.
latestvk97e0bpyypqgde4bhznexrhgs583314t
License
MIT-0
Free to use, modify, and redistribute. No attribution required.