Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Runpod Media
v1.1.2Generate images from text, edit images with text instructions, animate images to video, and generate video from text — all via RunPod public AI endpoints. Us...
⭐ 0· 282·1 current·1 all-time
byItamar C@itamarcoh3n
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description match the scripts: they call RunPod endpoints to generate/edit/animate media. However metadata and SKILL.md disagree with the code about required secrets and binaries: the code requires a RunPod API key and Cloudflare R2 credentials and the 'uv' runtime, but the registry summary at the top (provided to the evaluator) listed none. This mismatch is unexpected and should be resolved.
Instruction Scope
Runtime instructions and scripts are focused on media generation and uploading local files to a Cloudflare R2 bucket (presigned GET URLs) before passing those URLs to RunPod. That behavior is coherent with purpose, but SKILL.md contains contradictory statements (mentions imgbb in some places, says 'imgbb is no longer used' in others). The scripts read ~/.openclaw/secrets.json and may read the cloudflare.r2 block or the whole file, so the skill has access to all data in that file at runtime.
Install Mechanism
This is instruction-only / script bundle with no platform install spec. The code expects to be invoked via the 'uv' binary (run.sh execs 'uv run ...') and the per-script headers list Python deps (requests, boto3). The package/registry metadata provided to the evaluator omitted the 'uv' binary and secret requirements — that inconsistency is concerning because the skill may fail or behave unexpectedly if the runtime or dependencies are not present. No external archive downloads or shorteners are used.
Credentials
The scripts require a RunPod API key and full Cloudflare R2 credentials (accessKeyId, secretAccessKey, endpoint, bucket). Those credentials are proportionate to the declared feature (upload local files for RunPod), but the skill reads ~/.openclaw/secrets.json broadly (and accesses multiple keys). Ensure you only store minimal R2 credentials (limited-bucket, short-lived token if possible). The SKILL.md and _meta.json declare these secrets, but the top-level registry summary omitted them — this mismatch increases risk of inadvertent secret exposure.
Persistence & Privilege
always:false and no special persistent privileges are requested. The skill writes outputs to ~/.openclaw/workspace/runpod-media and may update its local endpoints.json when using discover_endpoints add — both are confined to the skill directory or the user's OpenClaw workspace. It does read ~/.openclaw/secrets.json (expected for API keys) but does not attempt to change other skills' configs.
What to consider before installing
This skill appears to do what it says (call RunPod and upload local images to Cloudflare R2), but the package metadata, SKILL.md text, and scripts are inconsistent in places. Before installing: 1) Confirm the required credentials (RunPod API key + Cloudflare R2 accessKeyId/secretAccessKey/endpoint/bucket). Provide least-privilege R2 credentials scoped to a temporary bucket if possible. 2) Verify your environment has the 'uv' runtime and the Python dependencies (requests, boto3) or the skill may fail. 3) Note that the skill will read ~/.openclaw/secrets.json and will upload local files to your configured R2 bucket (it creates uploads/ objects and generates presigned GET URLs that RunPod can fetch) — avoid placing highly sensitive images in local paths you plan to upload. 4) Resolve SKILL.md contradictions (imgbb vs R2) and confirm endpoints.json entries before trusting auto-discovery. If you need higher assurance, ask the author to (a) publish consistent metadata declaring required binaries and secrets, (b) reduce the scope of secrets read (only the exact keys), and (c) document dependency installation steps.Like a lobster shell, security has layers — review code before you run it.
latestvk97a2yc0f7p5seb6xpf4db3fph82eybv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.