Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description, SKILL.md, and script all align: this is a CogVideoX (ZhipuAI) video-generation skill and it needs a ZHIPUAI_API_KEY. However registry metadata earlier reported "Required env vars: none" and the skill has no homepage/source URL, which is inconsistent and reduces transparency.
Instruction Scope
SKILL.md and the script only describe submitting a video-generation task and polling results from ZhipuAI. There are no instructions to read arbitrary local files, other env vars, or exfiltrate data to unexpected endpoints in the provided files.
Install Mechanism
There is no install spec even though the script imports 'zai' and uses ZhipuAiClient; the required Python dependency is not declared and the skill's source/homepage is missing. This is a usability/traceability gap and increases risk because fetched dependencies or missing libs could cause the integrator to install packages manually or run unclear code.
Credentials
The script only needs a single API key (ZHIPUAI_API_KEY), which is appropriate for calling the external service. But the registry metadata claiming no required env vars contradicts the code and SKILL.md, which is an inconsistency the user should note.
Persistence & Privilege
The skill does not request always:true, does not persist configuration or modify other skills, and does not require elevated or system-wide privileges.
What to consider before installing
This skill appears to do what it says (generate video via ZhipuAI) and the script only uses one API key (ZHIPUAI_API_KEY). However: 1) the registry metadata incorrectly lists no required env vars while the code expects ZHIPUAI_API_KEY — confirm the platform will grant the skill that env var only if you trust it; 2) there is no install/dependency specification for the 'zai' SDK and no homepage or source repository for the skill or SDK — verify the provenance of the 'zai' package before installing; 3) since the source is unknown, consider running the skill in an isolated environment or reviewing the 'zai' library/package code and network endpoints it contacts; 4) only provide your ZhipuAI API key if you trust the skill owner; otherwise ask the publisher for a repo, release URL, and a dependency list (or a vetted install spec) before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk9745rjfgp512dhfkjar5jq0vh83v9jb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.