ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

jiege-openclaw-video

v1.2.0

高性能视频生成技能包,集成 Sora 和 VEO 模型接口,提供全自动的视频生成、轮询和下载管理。

1· 107·1 current·1 all-time
by@liangshenghzj888-stack

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for liangshenghzj888-stack/jiege-openclaw-video-v1.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "jiege-openclaw-video" (liangshenghzj888-stack/jiege-openclaw-video-v1) from ClawHub.
Skill page: https://clawhub.ai/liangshenghzj888-stack/jiege-openclaw-video-v1
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install jiege-openclaw-video-v1

ClawHub CLI

Package manager switcher

npx clawhub@latest install jiege-openclaw-video-v1
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The description claims integration with Sora and VEO, but the implementation only calls a VEO-like flow and POSTs to https://maas-openapi.wanjiedata.com. The manifest and SKILL.md do not declare any required credential even though the code reads ~/.openclaw/openclaw.json for an apiKey. The declared purpose (multi-provider video generation) does not match the actual endpoints and credential usage.
!
Instruction Scope
The runtime instructions and code cause the agent to spawn a detached background Python worker which: (a) reads ~/.openclaw/openclaw.json to extract an apiKey, (b) makes streamed HTTP POST requests to an external API (wanjiedata), (c) aggregates streamed content and blindly opens the first URL found in the response using os.startfile, and (d) writes log and lock files into the skill directory. Reading an agent config and opening arbitrary returned URLs are broader actions than the SKILL.md explicitly documents and can have surprising side effects.
Install Mechanism
This is instruction-only (no install spec). The bundle includes Python scripts and a requirements.txt (requests). No remote downloads or installers are used, which lowers supply-chain risk, but code will be placed on disk and executed by spawning a detached Python process.
!
Credentials
The skill accesses ~/.openclaw/openclaw.json to extract an apiKey but declares no required environment variables or primary credential. It takes the first provider apiKey it finds (no validation) and uses it to authenticate to a third-party endpoint. This may cause the skill to use a key intended for another service, effectively granting that external host access to your configured provider credentials.
Persistence & Privilege
always:false (normal). However, the skill deliberately launches fully detached background processes (child.unref() / subprocess.Popen detached) that run independently of the agent lifecycle; those processes run with the user's privileges and will continue until completion. This is expected for asynchronous workloads but increases blast radius if the worker does unexpected network activity.
What to consider before installing
Before installing: review the Python scripts yourself (veo_worker.py, video_interface.py, hooks.js). Key points to consider: - The skill reads ~/.openclaw/openclaw.json and uses the first apiKey found to call an external API (wanjiedata). If that file contains keys for other services, those keys could be used unintentionally. Create a dedicated provider/apiKey for this skill or modify the code to use a dedicated env var. - The worker will open any URL returned in the streamed response without validation — a malicious or compromised provider could return a harmful URL. Consider removing/validating the auto-open behavior. - The skill spawns detached background processes that run independently; test it in a controlled environment first. - The README/SKILL.md and manifest claim multi-provider integration (Sora) but code only uses one external endpoint — ask the author to clarify which provider is used and to explicitly declare required credentials. If you cannot audit or modify the code, avoid installing it on systems where your OpenClaw config contains sensitive keys you do not want reused, or run it in an isolated environment.
hooks.js:11
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9731k0yvq9kkccss5a89ynaps84fhxm
107downloads
1stars
2versions
Updated 2w ago
v1.2.0
MIT-0
@liangshenghzj888-stack
latest
Download

Skill: jiege-video-skill

作者: 何振杰

功能描述

一个高性能 Veo 视频生成技能,支持通过自然语言一键生成。

适用场景

  • 自动化视频创作。
  • 无需命令行参数,通过自然语言对话生成视频。

安装说明

  1. 使用 openclaw install jiege-video-skill 安装。
  2. 确保在 ~/.openclaw/openclaw.json 中配置了有效的 API Key。

使用方法

安装后,直接在聊天窗口输入:

生成视频:[您的提示词]

例如:

生成视频:一只在雨中奔跑的黑豹,电影质感

运行机制

  • 拦截指令后,自动调用后台进程生成。
  • 任务完成时,会自动在浏览器中弹出结果页面。
  • 内置锁机制,防止并发重复任务。

注意事项

  • 请确保系统环境已安装 Python。
  • 若提示任务阻塞,请确认无残留的 .lock 文件。

Comments

Loading comments...