Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
FreeAds 随手拍广告
v3.7.0🎬 AI 高端广告视频生成器 - 将产品照片转化为 8 秒专业广告视频(含 BGM、Slogan、音效、丰富运镜)。使用 Atlas Cloud API 调用 Veo 3.1 生成视频。触发词:随手拍广告、生成广告视频、产品广告。核心输出:视频文件 URL。
⭐ 0· 125·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md explicitly requires an ATLASCLOUD_API_KEY and documents calls to Atlas Cloud's upload/generate endpoints (coherent with a video-generation skill). However the registry metadata at the top of the submission lists no required env vars/primary credential — this mismatch is unexpected and should be resolved. The skill also includes affiliate/referral URLs (https://www.atlascloud.ai?ref=LJNA3T) which are not necessary for functionality and suggest monetization/marketing embedded in docs.
Instruction Scope
Runtime instructions stick to the advertised workflow: product recognition, prompt construction, uploading media, and calling Veo 3.1. They also instruct the agent to collect brand/logo images and (optionally) search the web for logos — reasonable for brand-protection features but potentially expands what the agent will fetch or request from the user. The SKILL.md header declares ATLASCLOUD_API_KEY as required while the registry metadata omitted it; that inconsistency may cause permission/consent gaps at install time.
Install Mechanism
There is no install spec (instruction-only) which is low risk. A single included shell helper (scripts/setup-api-key.sh) is present; its behavior is straightforward (prompt for API key, verify via curl, and optionally append/export the env var into the user's shell rc). The script is readable and not obfuscated, but it will modify the user's shell config if accepted — users should inspect it before running.
Credentials
The only credential this skill needs is an Atlas Cloud API key (ATLASCLOUD_API_KEY), which is proportionate to its purpose. However the top-level registry metadata declared no required env vars while SKILL.md and the setup script require and store that API key — an incoherence that may lead to the key being requested or stored without explicit visibility in the registry listing.
Persistence & Privilege
always:false (no forced permanent inclusion). The skill's included setup script can write the API key into the user's shell RC (persistent environment change). Also the skill can invoke external APIs autonomously (default platform behavior); coupling autonomous invocation with access to an API key increases blast radius if the skill were malicious. There is no evidence the skill modifies other skills or system-wide settings.
What to consider before installing
What to check before installing: 1) Metadata mismatch — SKILL.md requires ATLASCLOUD_API_KEY but the registry metadata lists none; confirm you are comfortable granting an Atlas Cloud API key. 2) Review the included setup script (scripts/setup-api-key.sh) before running: it will optionally append export ATLASCLOUD_API_KEY to your shell rc (~/.bashrc, ~/.zshrc). If you prefer, set ATLASCLOUD_API_KEY manually instead of running the script. 3) Use a least-privilege / billing-limited Atlas API key if possible and monitor usage/billing after first runs. 4) Be aware the docs include an affiliate/referral link — sign-up via that link is optional and unrelated to functionality. 5) If you will supply images containing third-party brands, confirm you have rights to use them; the skill encourages web searches for logos which may cause the agent to fetch external resources. 6) If you need tighter safety, disable autonomous invocation for this skill (or only invoke it manually) and test with non-sensitive/example images first.Like a lobster shell, security has layers — review code before you run it.
latestvk977asf4djzdm9rf08j60egkn583ks8j
License
MIT-0
Free to use, modify, and redistribute. No attribution required.