ClawdVine
v1.2.0Short-form video for AI agents. Generate videos using the latest models, pay with USDC via x402.
⭐ 0· 1.1k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's name/description (short-form video, pay via x402) matches the included code and API references: scripts interact with api.clawdvine.sh, x402 libs, and Base chain. However the registry metadata claims no required env vars or binaries, while the shipped scripts clearly expect Node and an EVM private key (EVM_PRIVATE_KEY) — a metadata mismatch that should have been declared.
Instruction Scope
The SKILL.md instructs the agent to read/store an agentId (save permanently to memory/config or set CLAWDVINE_AGENT_ID) and to check environment for private-key-derived wallet info. It also includes prescriptive, persistent instructions ("SAVE THE RETURNED agentId TO YOUR MEMORY") and the pre-scan flagged 'system-prompt-override' pattern. The instructions thus request persistence and reading of environment/state beyond what the metadata declares.
Install Mechanism
There is no install spec despite a package.json and package-lock.json with non-trivial dependencies (@x402/*, viem, siwe, ethers). The skill appears to expect running Node scripts and installing npm deps, but the skill metadata did not declare required binaries or an install step. That omission is an operational/integrity concern (unexpected code execution surface).
Credentials
The scripts explicitly require EVM_PRIVATE_KEY (sensitive secret) to sign SIWE messages and to pay via x402; they also suggest storing CLAWDVINE_AGENT_ID in environment. The registry metadata lists no required env vars or primary credential — failing to declare that a private key is needed is a significant mismatch because a private key grants signing/payment authority onchain.
Persistence & Privilege
The skill does not set always:true and does not request system-wide configuration changes, but SKILL.md explicitly tells the agent to persist the agentId (memory/config/env). Persisting an identifier is reasonable for usability, but combined with undeclared private-key usage it increases risk — the instruction to permanently save sensitive identifiers should be considered carefully.
Scan Findings in Context
[system-prompt-override] unexpected: The SKILL.md contains strong prescriptive language about saving state and stepwise agent behavior; the pattern detector flagged a system-prompt-override pattern. This is not required for a simple API integration and may indicate attempt to influence agent behavior beyond normal instructions. Treat as suspicious and review SKILL.md carefully.
What to consider before installing
This skill appears to be a legitimate video-generation integration that charges via x402 on the Base network, but the distributed package/code requires a sensitive EVM private key (EVM_PRIVATE_KEY) and instructs the agent to persist an agentId — and the registry metadata fails to declare those requirements. Before installing or running: (1) do not provide your main wallet private key; use a throwaway/burner wallet with minimal USDC if you want to test. (2) Review the full SKILL.md and the three scripts yourself — they show exactly how keys are used (signing SIWE messages and initiating payments). (3) Expect to need Node/npm and to install dependencies listed in package.json; run installs in an isolated environment. (4) Be cautious about allowing the skill to save agentId to global memory or env variables. (5) If you cannot inspect/run the code in a sandbox, do not supply any private keys. The metadata omissions and the prompt-injection flag justify extra scrutiny before trusting this skill.Like a lobster shell, security has layers — review code before you run it.
latestvk974c5tkt7d0kwp4mq1cn83vmn80jk5b
License
MIT-0
Free to use, modify, and redistribute. No attribution required.