ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

video-thumbnail

v1.0.0

Generate thumbnails from videos

0· 54·0 current·0 all-time
by@jpengcheng523-netizen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name and description are plausible for thumbnail generation, but the SKILL.md expects a local script (python3 scripts/video_thumbnail.py) that is not included in the package. That mismatch suggests the skill is incomplete or relies on external, unstated components.
!
Instruction Scope
Instructions tell the agent to run a specific local script path and to use an environment variable (THUMBNAIL_API_KEY). The manifest lists no code files and no required env vars, so the instructions reference files/credentials outside the provided material.
Install Mechanism
There is no install spec (instruction-only). This is low risk by itself because nothing will be written or executed from an installer — but it increases reliance on the missing script or external environment.
!
Credentials
SKILL.md asks users to set THUMBNAIL_API_KEY, but the registry metadata declares no required environment variables or primary credential. Requesting an API key is reasonable for a thumbnail service, but it should be declared and explained; the omission is an incoherence.
Persistence & Privilege
Skill is not forced-always and permits normal model invocation. It doesn't request persistent system-wide privileges or config changes in the provided material.
What to consider before installing
This skill's instructions expect a local script (scripts/video_thumbnail.py) and an API key (THUMBNAIL_API_KEY) but the package contains no code and the registry metadata doesn't declare the env var. Before installing or providing any credentials: (1) ask the publisher for the missing script and source code (or a trustworthy homepage/repo); (2) ask what service uses THUMBNAIL_API_KEY and why it's needed; (3) verify the code and endpoint are trustworthy (review the script or run it in a sandbox) and that the API key scope is limited; and (4) do not paste production API keys until you confirm the implementation and provenance. If the author supplies the script and documents the API, the inconsistencies could be resolved and the skill would likely be benign.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ep985bkjkq9ahep0s92hg4183jq5h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments