ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AV Skill

v1.0.0

Toolkit for converting, editing, analyzing, and generating audio and video files, supporting common formats and effects within OpenClaw.

0· 22·0 current·0 all-time
bybittao@hgta23
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description and README promise many real AV capabilities (format conversion, effects, analysis, TTS, URL handling). The only shipped Python code (av_skill.py) is a simple stub that returns informational strings and does not implement any real processing. The listed dependencies (moviepy, pydub, opencv, gTTS, requests, Pillow) are plausible for the claimed features, but including them while providing only a stub is disproportionate and inconsistent.
Instruction Scope
SKILL.md stays on-topic for AV functionality and does not ask to read unrelated files or credentials. It does state the skill handles local files and URLs and that an Internet connection is required for some features (TTS). However, the runtime instructions are descriptive only; they do not show how networked operations or file handling would be performed, and the shipped code does not implement URL/file I/O despite the documentation claiming such behavior.
Install Mechanism
There is no explicit install spec for the skill (instruction-only), but README suggests installing requirements.txt via pip. requirements.txt includes common third‑party packages (requests, gTTS, moviepy, opencv, pydub, Pillow). No install URL or archive is used (lower risk), but the package lacks an automatic install spec and the requirements file contains a minor formatting typo (' Pillow') which may cause installation errors.
Credentials
The skill requests no environment variables or credentials (good). However, it includes network-capable libraries (requests, gTTS) that, if the implementation were changed, could make network requests — so absence of declared credentials is appropriate but the presence of network libraries increases the need for provenance and review before installing.
Persistence & Privilege
The skill does not request elevated or persistent privileges, always:false, and does not declare modifications to other skills or system-wide settings. Autonomous model invocation is allowed by default (platform normal) and is not combined with other high-risk flags here.
What to consider before installing
This package overpromises: the README and SKILL.md describe many real AV operations, but the shipped Python file is just a non‑performing stub that returns text. Before installing or running anything: (1) verify the skill's provenance (who published it); (2) ask the author for the real implementation or an install spec that explicitly installs and invokes only the needed packages; (3) if you must try it, do so in a sandbox/isolated environment (no sensitive credentials present) because the listed dependencies include network-capable packages (requests, gTTS) that could perform network requests if real code is added; (4) watch for the requirements.txt formatting typo and review any packages that would be installed. If you need the functionality now, prefer a skill with an explicit, reviewed implementation or one that clearly documents required actions for network access and file I/O.

Like a lobster shell, security has layers — review code before you run it.

latestvk9718eh5jnyeytpas48j0j18ed84e0ts

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments