Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Qwen Video Generator
v1.0.2阿里云百炼文生视频工具。使用 wan2.2-t2v-plus 模型将文本描述生成视频。**当以下情况时使用此 Skill**:(1) 用户需要根据文字描述生成视频 (2) 用户提到"文生视频"、"生成视频"、"AI视频"、"text to video" (3) 需要创建短视频内容 (4) 需要可视化场景描述。支持...
⭐ 0· 54·0 current·0 all-time
byMarvin@imnull
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (Qwen text→video via Aliyun/DashScope) align with the included script that posts to dashscope.aliyuncs.com and downloads a generated video. However, the skill registry metadata declared no required environment variables or credentials while the SKILL.md and script require an API key (DASHSCOPE_API_KEY_VIDEO / DASHSCOPE_API_KEY). This mismatch is unexpected.
Instruction Scope
SKILL.md and the script are consistent: they instruct running scripts/generate_video.py, pass prompt/size/length, poll an API, download the resulting video, and save it to a workspace directory. The instructions do not ask the agent to read unrelated system files or exfiltrate arbitrary data beyond calling the documented API endpoints.
Install Mechanism
There is no install spec (instruction-only + one script). No packages are downloaded or executed at install time. The single Python script will run at invocation; this is low install-time risk.
Credentials
The script requires an API key (DASHSCOPE_API_KEY_VIDEO or DASHSCOPE_API_KEY) and supports VIDEO_OUTPUT_DIR/VIDEO_OUTPUT_SIZE/VIDEO_OUTPUT_LENGTH, but the registry metadata lists no required env vars or primary credential. SKILL.md also omits mention of OPENCLAW_WORKSPACE which the script reads to default the output path. The absent declaration of the API key in metadata is a meaningful inconsistency (credentials should be declared).
Persistence & Privilege
The skill does not request always:true, does not modify other skills or global agent settings, and only writes output files to its own output directory. It sets file permissions to 0644 for usability; this is within expected scope.
What to consider before installing
This skill appears to be a straightforward text-to-video client that calls DashScope (dashscope.aliyuncs.com) and downloads the resulting MP4. Before installing: 1) Verify the publisher/source (no homepage provided) and confirm dashscope.aliyuncs.com is the intended service. 2) Expect to provide an API key (DASHSCOPE_API_KEY_VIDEO or DASHSCOPE_API_KEY); the registry omitted declaring this — ask the publisher to add it to metadata so the platform can treat the secret properly. 3) Limit the API key's scope and rotate it if possible; do not reuse high-privilege keys. 4) The script writes files to workspace/videos (or OPENCLAW_WORKSPACE/videos if VIDEO_OUTPUT_DIR unset) and sets 0644 permissions — ensure that directory is acceptable and does not expose sensitive data. 5) If you need higher assurance, run the script in an isolated environment and inspect network calls (it only calls dashscope endpoints) or request the publisher's official docs/homepage. The code shows no other obvious exfiltration, but the metadata omission of required credentials is the primary red flag.Like a lobster shell, security has layers — review code before you run it.
aivk9711v28g863004g6wwtewb7an83wk7falibabavk9711v28g863004g6wwtewb7an83wk7flatestvk9704fy9ahx2zg2t34b0kwxynh83wb5dqwenvk9711v28g863004g6wwtewb7an83wk7ftext-to-videovk9711v28g863004g6wwtewb7an83wk7fvideovk9711v28g863004g6wwtewb7an83wk7f
License
MIT-0
Free to use, modify, and redistribute. No attribution required.