ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

short-video-ecommerce

v1.0.0

Fully automated AI eBook creator — from topic idea → finished PDF with cover, table of contents, complete content, one click.

0· 43·0 current·0 all-time
by@laomao-at
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Registry name/slug is short-video-ecommerce and the majority of code (main.py, steps/*, utils.py, skill.json) implements short-video e-commerce / dropshipping workflows (product sourcing, AI image/video generation, one-click publish). However the provided SKILL.md at the top of the package describes an AI eBook generator (ai-ebook-generator) that needs OPENROUTER_API_KEY. The skill.json dependencies (market-data, ecommerce-api, xiaohongshu, web-content-fetcher) align with short-video-ecommerce but not with the eBook description. Multiple README.md files describe several different tools (eBook, Instagram post, Midjourney prompts, SEO blog, YouTube shorts), indicating copy-paste or bundling of unrelated artifacts. This is a significant purpose/capability mismatch.
!
Instruction Scope
The top-level SKILL.md instructs a simple "generate ebook [topic]" flow and lists OPENROUTER_API_KEY as the requirement, but the actual runtime code implements steps including network image downloads, filesystem writes (defaulting to a Desktop path), calls to optional AI video/image services, and hooks for many platform APIs. The code reads many environment variables (OPENROUTER_API_KEY, SEEDDANCE_API_KEY, various platform API keys) and will write outputs to disk. The SKILL.md is not representative of what the code will do at runtime — instructions are incomplete and therefore grant the skill implicit broad scope.
Install Mechanism
No install spec is provided (instruction-only), but the package contains Python code and a requirements.txt (requests, beautifulsoup4, Pillow, ffmpeg-python, etc.). There is no remote download/install URL, which reduces install-time supply-chain risk, but installing/executing the code will install dependencies from PyPI and run code that performs network and filesystem operations. The package itself bundles multiple README/SKILL files and code, suggesting sloppy packaging but not an explicit malicious install mechanism.
!
Credentials
Declared requirements in the registry said 'none', the top SKILL.md claims only OPENROUTER_API_KEY, but the code and README(s) expect multiple API keys: OPENROUTER_API_KEY for image generation, SEEDDANCE_API_KEY (or KLING_API_KEY) for video, and a range of platform credentials (DOUDIAN_APP_KEY/SECRET, KUAIHOU_APP_ID/SECRET, PDD_CLIENT_ID/SECRET, TB_APP_KEY/SECRET, etc.) for one-click publish. The skill.json also lists optional integrations. The set of env vars read by the code is broad and not justified by the single eBook description in SKILL.md. Supplying platform credentials would give the skill the ability to interact with and publish to third‑party stores — only appropriate if you trust the code and author.
Persistence & Privilege
The skill does not request 'always: true' and does not declare other elevated privileges. It writes output files to a user directory (defaulting to a Desktop path) and creates directories, which is expected for a content-generation tool. It does not appear to modify other skills or global agent config. Autonomous invocation is enabled by default (normal), but combined with the other concerns (credential hooks, network operations) that increases risk if installed without review.
What to consider before installing
Do not install or provide API/platform credentials yet. Key concerns: (1) The top SKILL.md and registry description (an eBook generator) do not match the actual code (a short-video/dropshipping tool) — ask the publisher which is correct and request a single canonical SKILL.md. (2) The code will read many environment variables and can download images and write files to your Desktop; only set API keys (OPENROUTER_API_KEY, SEEDDANCE_API_KEY, DOUDIAN_*, PDD_*, TB_*, etc.) if you fully trust the author and have reviewed the code paths that use them. (3) If you need to evaluate further: inspect main.py and steps/* for network calls and publishing logic, run the package in a sandboxed environment or VM, run static linters, and verify package origin (homepage/author contact is missing). (4) If you intend to use only the eBook functionality described in SKILL.md, ask for a trimmed package that contains only the eBook-related code and a correct skill.json; currently the repository mixes multiple tools which is noisy and suspicious. If you decide to proceed, avoid setting platform credentials initially and test in manual/semi-auto mode.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eytfmd7z9818508g95dd4vh84ketv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📚 Clawdis
OSWindows · macOS · Linux

Comments