ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

video 生成流水线

v1.0.1

OpenClaw two-step pipeline: (1) expand a user brief into a three-shot storyboard and save it to storyboard/storyboard.json at project root, (2) run python3 s...

0· 58·0 current·0 all-time
byKing@ilaus
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill name/description (three 10s segments via CogVideoX-3) aligns with the included script and SKILL.md: the script reads a storyboard JSON and calls the open.bigmodel.cn async video API three times. However, the registry metadata lists no required environment variables or primary credential while the runtime instructions and script require ZHIPUAI_API_KEY — this metadata omission is an inconsistency.
Instruction Scope
SKILL.md clearly limits behavior to (1) writing storyboard/storyboard.json in the project root and (2) running scripts/video-generate.py to call the CogVideoX-3 REST API. It does not instruct reading unrelated system files or sending data to unexpected endpoints; network calls go to open.bigmodel.cn as documented. Note: the agent will create files in the repository root (storyboard/ and optional downloaded MP4s).
Install Mechanism
There is no install spec (instruction-only with a single Python script). The script uses only Python stdlib (with optional certifi) and performs HTTPS requests; no remote code downloads or archive extraction are present.
!
Credentials
At runtime the script requires ZHIPUAI_API_KEY (and optionally BIGMODEL_API_BASE). That credential is proportional to the described functionality. The concern is that the skill registry metadata did not declare this required environment variable or primary credential, which is a mismatch that could lead to unexpected failures or misconfiguration and should be corrected/confirmed before use.
Persistence & Privilege
The skill does not request permanent installation, does not set always:true, and does not modify other skills or system-wide settings. It runs on-demand and has typical network access for an API-backed task.
What to consider before installing
This skill appears to do what it says: produce a storyboard JSON and call the Zhipu (open.bigmodel.cn) video-generation API three times. Before installing/using it: (1) confirm and supply ZHIPUAI_API_KEY in your environment (the metadata omitted this requirement), (2) do not commit your API key to the repo (SKILL.md already warns this), (3) be aware the agent will write storyboard/storyboard.json at the project root and may download three MP4s to an output directory you specify, and (4) verify you trust the remote API (open.bigmodel.cn) since prompts and generated media are sent/received over the network. If you need higher assurance, request the maintainer update the package metadata to declare the required env var and perform a code review in a safe/test repository first.

Like a lobster shell, security has layers — review code before you run it.

latestvk970t5cmd8960vbjcx5nft01kx83txtr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments