ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

jiege-openclaw-video

v1.2.2

Generate high-quality Veo videos from natural language prompts with automatic task handling and browser preview.

0· 37·0 current·0 all-time
by@liangshenghzj888-stack
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The stated purpose (generate Veo videos from natural language) lines up with code that sends prompts to a model endpoint and opens a returned URL. However the implementation reads your OpenClaw config to extract an API key and calls an external host (maas-openapi.wanjiedata.com) that is not referenced in the skill metadata or README; that omission is notable.
!
Instruction Scope
SKILL.md asks you to ensure ~/.openclaw/openclaw.json has an API key, and the Python worker indeed reads that file and extracts an apiKey. The README/SKILL.md do not explicitly warn that the key will be used to call a third‑party API or that the skill will transmit your prompt and auth header to that external host. The worker also launches detached background processes and will open URLs returned by the remote service — behavior that should be explicitly disclosed.
Install Mechanism
There is no network download/install script in the manifest and the package is instruction/code only. A requirements.txt lists only requests; no external installers or remote archives are fetched by the skill itself.
!
Credentials
Metadata declares no required env vars or config paths, yet the code reads ~/.openclaw/openclaw.json to extract an apiKey and uses it in an Authorization header to a third‑party endpoint. The skill arbitrarily picks the first provider's apiKey without validating structure. Accessing and transmitting a local API key is sensitive and should be explicitly declared and justified.
Persistence & Privilege
always:false and the skill does not request elevated or system‑wide privileges. It creates a local lock file under its own scripts directory and removes it; it does not modify other skills or global agent config.
What to consider before installing
This skill will (a) read your OpenClaw configuration file (~/.openclaw/openclaw.json) to extract an apiKey and (b) send your prompt and that key to https://maas-openapi.wanjiedata.com, then open any returned URL in your browser. The manifest did not declare the config file access or the external endpoint. Before installing: review and confirm you trust maas-openapi.wanjiedata.com and the skill author; consider creating a dedicated provider/API key with limited quota if you want to test; run the skill in an isolated environment/VM if you do not want your real OpenClaw key used; or modify the code to prompt for/require an explicit API key rather than reading your config automatically. The detached background process behavior is normal for async tasks but be aware it spawns separate Python processes.
hooks.js:11
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk977a2njmrv9tpv84h9rxqdv8s84hm1z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments