Skillv2.0.0

ClawScan security

wanjie-openclaw-video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 15, 2026, 10:10 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what its description claims (calls a Veo API to generate videos), but it reads your OpenClaw API key file without declaring it, auto-installs Python packages at runtime, launches detached background processes, and will automatically open arbitrary URLs returned by the remote API — these behaviors should be evaluated before installing.
Guidance: Key points to consider before installing: - This skill will read your OpenClaw API key from ~/.openclaw/openclaw.json. If you are not comfortable granting a skill access to that file, do not install it. The manifest does not declare this requirement explicitly. - At runtime it may pip-install the requests package into your Python environment; run it inside a virtualenv or isolated environment if you want to avoid changing system packages. - The skill launches detached background Python processes and writes veo_log.txt, veo.lock, and veo_result.txt into its scripts folder. These processes persist outside the chat session; verify and monitor them if you install the skill. - The worker will automatically open any URL returned by the remote API in your default browser. A malicious or compromised backend could return an unsafe URL — only use if you trust the remote service (maas-openapi.wanjiedata.com). - The SKILL.md mentions additional monitoring/scheduling behavior (Windows task), but the code does not implement automatic task registration; behavior described in docs and actual code differ. Recommendations: 1) Inspect the included Python files (veo_worker.py, video_interface.py) yourself (they are present) and run them in a controlled environment first. 2) Use a throwaway/limited OpenClaw API key or run on a machine without sensitive credentials if you want to test. 3) If you decide to install, run the skill inside a Python virtualenv and monitor processes/files it creates. If you need the skill but want stricter behavior, ask the author to declare the config requirement in the manifest and to make URL-opening and auto pip-installation opt-in.

Review Dimensions

Purpose & Capability: noteThe code and SKILL.md align with a video-generation skill that calls an external Veo API (maas-openapi.wanjiedata.com). Requiring Python and the requests library is consistent. However, the skill reads the user's ~/.openclaw/openclaw.json to obtain an API key (via _read_api_key_from_openclaw) but the package metadata did not declare any required config path or primary credential; the SKILL.md mentions the openclaw.json requirement only in prose. This omission is a transparency/consent issue even if functionally coherent.
Instruction Scope: concernSKILL.md claims background timed monitoring and Windows scheduled task deployment; the provided code spawns detached worker processes on message and implements a lock/timeout mechanism, but there is no installer or code that actually registers a Windows scheduled task or a 5-minute monitor loop. The worker reads the local OpenClaw config, writes logs and result files to model/scripts/, and will automatically open any URL extracted from the API response in the user's browser. Auto-opening arbitrary returned URLs and reading local config are broader-than-expected actions that should be explicitly disclosed and consented to.
Install Mechanism: noteThere is no external install spec (instruction-only), so nothing is downloaded during install. However, at runtime video_interface.py will pip-install the requests package if missing (subprocess.check_call to pip). Runtime package installation modifies the Python environment and can have side effects; although common, it is an active change and should be considered by the user.
Credentials: concernNo environment variables are requested, but the code reads a sensitive credential: it loads the OpenClaw API key from ~/.openclaw/openclaw.json and uses it to authenticate requests to the remote Veo service. That access is functionally explainable (the skill needs an API key), but the manifest did not declare this required config or mark the credential as a primary secret. Also, the skill logs a fingerprint of the key (first/last chars) but still reads the full key from disk — storing or transmitting that key is privacy-sensitive.
Persistence & Privilege: noteThe skill does not request always:true and does not modify other skills. It starts detached background Python processes (hooks.js spawns python detached; video_interface.py spawns workers detached), creates lock/log/result files in its directory, and may persist processes outside the controlling agent. Autonomous invocation (default) plus detached background tasks increases the blast radius if the skill behaves unexpectedly, but these behaviors are consistent with a background-generation skill.