ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sogni Gen

v1.5.16

Generate images **and videos** using Sogni AI's decentralized network, with local credential/config files and optional local media inputs. Ask the agent to "...

2· 832·1 current·1 all-time
by@krunkosaurus
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (Sogni image & video generation) matches the actual behavior: a Node CLI + MCP wrapper that calls a Sogni client library. Required binaries (node, optional ffmpeg) and deps in package.json logically support image/video generation. The requested env vars and config paths (SOGNI_API_KEY, username/password, credentials path, OpenClaw config, inbound media dir, downloads dir) are appropriate for a plugin that integrates with Sogni and OpenClaw.
Instruction Scope
Runtime instructions and code read Sogni credentials (file or env), read/write a last-render.json, read OpenClaw config and an inbound media directory, and may download generated result URLs and save them to a local Downloads directory. The MCP server sanitizes inputs and restricts downloads to trusted hosts by default (sogni.ai). Note: the SOGNI_ALLOWED_DOWNLOAD_HOSTS environment variable can expand which HTTPS hosts are permitted for auto-downloads — if misconfigured this could allow downloading from arbitrary hosts. Otherwise the instructions stay within the stated purpose.
Install Mechanism
The skill uses npm to install runtime dependencies (skill-package.json -> npm i). Dependencies are typical (Sogni client wrapper, MCP SDK, sharp, execa). No archive downloads from arbitrary URLs or shell-executed remote scripts are present in the manifest. (Minor metadata inconsistency: registry summary said 'No install spec', but SKILL.md includes an npm install step — this is explanatory rather than harmful.)
Credentials
Requested environment variables are primarily Sogni credentials, OpenClaw configuration hooks, ffmpeg path, and options controlling local saves/download hosts. The number of env vars is high because the skill supports integrations (OpenClaw, MCP, custom paths), but each variable has a clear purpose. No unrelated cloud or secret credentials (AWS, GCP, etc.) are requested.
Persistence & Privilege
The skill is not always-enabled (always: false) and does not request elevated platform-wide privileges. It writes to its own configured directories (last-render metadata, ~/Downloads/sogni by default) and can be configured to disable local saves. It does not attempt to modify other skills or global agent settings.
Assessment
This skill appears to be what it claims: a Sogni AI image/video generator that uses a local Node CLI and an optional MCP wrapper. Before installing: 1) Be prepared to provide your SOGNI_API_KEY (or username/password) either in ~/.config/sogni/credentials or via environment variables; 2) note that generated assets are saved to ~/Downloads/sogni by default and last-render metadata is written to ~/.config/sogni/last-render.json — you can override or disable these via the documented env vars (SOGNI_DOWNLOADS_DIR, SOGNI_MCP_SAVE_DOWNLOADS); 3) the MCP server will only auto-download result URLs from sogni.ai by default, but SOGNI_ALLOWED_DOWNLOAD_HOSTS can broaden that — avoid setting it to permit arbitrary hosts unless you understand the implications; 4) installing runs npm install for the packaged runtime deps — review package.json/skill-package.json if you want to audit dependencies. Overall, the components and privileges requested match the stated purpose.
!
mcp-server.mjs:21
File read combined with network send (possible exfiltration).
!
sogni-gen.mjs:10
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk974k8vsng299kfppzb0gqw3gd82qjda

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎨 Clawdis
OSmacOS · Linux · Windows
Binsnode
Any binffmpeg
EnvSOGNI_API_KEY, SOGNI_USERNAME, SOGNI_PASSWORD, SOGNI_CREDENTIALS_PATH, SOGNI_LAST_RENDER_PATH, SOGNI_MEDIA_INBOUND_DIR, OPENCLAW_CONFIG_PATH, OPENCLAW_PLUGIN_CONFIG, FFMPEG_PATH, SOGNI_DOWNLOADS_DIR, SOGNI_MCP_SAVE_DOWNLOADS, SOGNI_ALLOWED_DOWNLOAD_HOSTS
Config~/.config/sogni/credentials, ~/.openclaw/openclaw.json, ~/.clawdbot/media/inbound, ~/.config/sogni/last-render.json, ~/Downloads/sogni
Primary envSOGNI_API_KEY

Comments