ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

aigc-director

v1.0.0

AI 视频生成全流程:通过 6 个阶段(剧本→角色/场景设计→分镜→参考图→视频生成→后期剪辑)将用户想法转化为完整视频。支持临时工作台(单独调用 LLM、VLM、文生图、图生图、视频生成)。触发词:视频生成、AI视频、AIGC、创作视频、制作视频、AI画图。

0· 68·0 current·0 all-time
byXinfan Chen@hit-cxf
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (AI video generation across 6 stages) matches the included code and SKILL.md. The repository contains a local FastAPI backend, Next.js frontend, stage agents, and clients for many AI providers — these are coherent with the claimed functionality.
Instruction Scope
The runtime instructions are specific and scoped to running and interacting with a local backend/frontend (http://localhost:8000 and :3000) and to pausing for user confirmation at defined stop points. They explicitly instruct reading the backend .env file to check API keys and to send a LAN-accessible frontend URL (they include code to compute local IPv4). This is within the skill's purpose, but the instructions give the agent the ability to: (a) read local config (.env), (b) start local services via provided run docs, and (c) construct and share a LAN URL that could expose the local front-end to other devices — all of which the user should accept consciously.
Install Mechanism
There is no formal install spec in registry metadata (instruction-only), but the skill package includes full backend and frontend code and README instructions to clone, create venv, pip install, npm install/build, and run services. That means functionality requires running local code from this package; there is no automatic opaque remote download specified. This is lower risk than installing arbitrary remote binaries, but you must trust the contained code since it will be executed locally.
!
Credentials
Registry metadata declares no required env vars, but SKILL.md and the code clearly require many provider credentials (examples in SKILL.md and config.py): DASHSCOPE_API_KEY, DEEPSEEK_API_KEY, OPENAI_API_KEY, GEMINI_API_KEY, ARK_API_KEY or VOLC_ACCESS_KEY/SECRET, KLING_ACCESS_KEY/SECRET, plus ADMIN_PASSWORD and proxy settings. The absence of these requirements from the package metadata is an inconsistency and a red flag — the skill will read the local .env and use these secrets when running.
Persistence & Privilege
The skill is not marked always:true and does not request elevated system-wide privileges in metadata. It runs local services and executes subprocesses (e.g., ffmpeg for concatenation) which is expected for video processing. It does not modify other skills' configs per the provided files.
What to consider before installing
This package appears to be a local AI video studio and largely does what it says, but take these precautions before installing or running it: - Expect to provide many API keys: DeepSeek, DashScope (Aliyun), ByteDance/Seedream (ARK), Volc/JeMeng, Kling (Kuaishou), OpenAI, Google Gemini, etc. The SKILL.md and config.py list these variables. The registry metadata incorrectly lists none — treat that as an omission. - The agent will read aigc-claw/backend/.env and use any API keys there. Do not put high-privilege or unrelated secrets in that file. Prefer creating a minimal .env containing only keys you want this local service to use. - The skill constructs and shares a LAN-accessible frontend URL (it resolves a local IPv4 and suggests sending it). That can expose your machine to other devices on the LAN — only share if you trust your network and the recipients. - The package runs local code (Python backend, Node frontend) and will execute subprocesses (ffmpeg). Only run this code in a controlled environment (VM/container or an isolated machine) if you do not fully trust the source. The source/homepage is unknown in registry metadata — verify the upstream repository and review critical files (tool clients that call external APIs) before running. - If you decide to run it: inspect the tool client modules (aigc-claw/backend/tool/) to confirm which endpoints are called with your API keys, and check for any unexpected network calls or data exfiltration. Consider running with network isolation or with dummy API keys first. If you want to proceed safely, ask for guidance locating and sanitizing the .env, or for a checklist to run the backend/frontend inside a container or VM so secrets and network exposure are controlled.
aigc-claw/frontend/lib/workflowApi.ts:10
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dkg5y524vf8y838f28x03ax83xjmt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments