Back to skill
Skillv1.0.1
ClawScan security
An OpenClaw skill for AI-powered multimedia generation (image, video, audio, 3D) via 170+ RunningHub API endpoints — zero dependencies, pure Python. · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 11:08 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and requested credential align with its stated purpose (using RunningHub APIs for multimedia generation); nothing in the bundle suggests it is doing unrelated work or reaching out to unexpected services.
- Guidance
- This skill appears to do what it claims: it runs local Python scripts that call RunningHub (runninghub.cn) APIs and requires your RunningHub API key. Before installing or using it, consider: 1) Only provide an API key you trust the RunningHub service with; avoid pasting the key in a public chat — prefer saving it to ~/.openclaw/openclaw.json if you accept that file storage. 2) The scripts will make network calls only to runninghub.cn; verify you trust that domain and understand any billing/cost implications. 3) The skill enforces hiding raw endpoint URLs/IDs from users and automates file delivery via a platform message tool — review whether that delivery flow fits your privacy requirements. 4) Be mindful of features like voice cloning, realistic-person video, or uploading images of people: those carry legal/ethical considerations. If you want additional assurance, review the three Python scripts and data/capabilities.json yourself and test with a low-permission test key or a small-budget account first.
Review Dimensions
- Purpose & Capability
- okName/description match assets and behavior: the package contains Python scripts that call RunningHub endpoints, a large capabilities.json catalog, and SKILL.md describing image/video/audio/3D and AI-app flows. Required binaries (python3, curl) and the primary credential (RUNNINGHUB_API_KEY) are appropriate for a client that shells out to curl and calls RunningHub APIs.
- Instruction Scope
- noteSKILL.md tightly scopes runtime actions to using the included scripts (never curl directly) and to interacting with RunningHub endpoints. Scripts do read ~/.openclaw/openclaw.json as a fallback for the API key and the docs instruct users how to save the key there. This is coherent with the skill’s behavior but worth noting: the skill encourages users to provide their API key (including showing a snippet that saves it into ~/.openclaw/openclaw.json) and the scripts may send the key in query/form parameters to runninghub.cn endpoints.
- Install Mechanism
- okNo install spec; instruction-only with included scripts (no external downloads or package installs). Risk is limited to running the provided Python scripts and curl commands — nothing is fetched from third-party URLs at install time.
- Credentials
- noteOnly the RunningHub API key is required (primaryEnv RUNNINGHUB_API_KEY), which is proportionate. The scripts also attempt to read the agent config at ~/.openclaw/openclaw.json to find a saved key — this access is limited to the skill's own config area but implies the skill can read/write that file if the user follows the provided save-key snippet. The skill's instructions also prompt users to paste keys into chat as a verification option; that is functional but increases risk of accidental exposure if users paste secrets in messages.
- Persistence & Privilege
- okalways:false and no special platform-wide privileges. The only persistence behavior documented is an optional user-driven save of the API key to ~/.openclaw/openclaw.json (a per-user config file). The skill does not modify other skills or require always-on presence.