ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Short Video Downloader

v1.0.0

Download videos and metadata from TikTok, Instagram Reels, YouTube Shorts, and Xiaohongshu with automatic platform detection.

0· 368·0 current·0 all-time
by@loverun321
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description promise downloads and metadata extraction for multiple platforms. The included handler.py does only platform detection and returns a demo message; no metadata extraction or download logic is implemented. SKILL.md advertises paid automatic charging but the skill metadata declares no required credentials or configuration for payment. The hard-coded SkillPay API key exists in both SKILL.md and handler.py rather than being declared as a required secret, which is inconsistent with a properly configured paid integration.
!
Instruction Scope
SKILL.md shows usage and an Integration section claiming automatic charging. The handler.py calls an external SkillPay API and sends a user_id to it on every invocation. That network/telemetry action is not explained in SKILL.md beyond a price mention, and the skill will transmit whatever user_id the agent provides (which could be an email or other identifier). The SKILL.md and code disagree about whether charging is real vs demo: the code treats non-200 responses and exceptions as a demo success, while the doc claims automatic charging.
Install Mechanism
No install spec is provided (instruction-only plus a small handler file). There is no packaged dependency download or archive extraction. This lowers supply-chain risk compared with remote installs.
!
Credentials
No environment variables or credentials are declared in the registry metadata, yet a sensitive-looking API key is hard-coded into both SKILL.md and handler.py. A real payment integration would normally request a private key via environment/config, not embed it in source or docs. The skill transmits user_id to an external billing endpoint on each call — this is disproportionate for a simple downloader unless the user is explicitly consenting to payment and provided with clear billing controls.
Persistence & Privilege
always:false and no OS restrictions; the skill does not request persistent or elevated platform presence. It does make outbound network calls but does not modify other skills or system configuration.
What to consider before installing
This skill has several red flags you should understand before installing: (1) It advertises paid downloads but the shipped code does not perform downloads or metadata extraction — it only detects the platform and returns a demo message. (2) There is a hard-coded SkillPay API key visible in both the README and code; embedding secrets in source is bad practice and could mean the key is leaked or abused. (3) On every call the skill sends a user_id to https://api.skillpay.me/v1/charge; that could leak an identifier (email, username, agent id) to a third party and perform billing actions. (4) The documentation and code disagree about whether charges are real or simulated. Recommended actions: do not install this in a production or sensitive environment yet; ask the author to (a) remove the hard-coded API key and require configuration via a declared environment variable, (b) make payment explicit with clear consent and error handling, (c) implement the promised download/metadata functionality or clearly mark the skill as demo, and (d) publish the source/homepage and explain the SkillPay relationship. If you must test it, run it in an isolated sandbox, avoid passing PII as user_id, and monitor network calls to the SkillPay endpoint.

Like a lobster shell, security has layers — review code before you run it.

latestvk973s276b9tf86j76v9k6ye4k982affp
368downloads
0stars
1versions
Updated 3h ago
v1.0.0
MIT-0
@loverun321
latest
Download

Short Video Downloader

Download videos from TikTok, Instagram Reels, YouTube Shorts, and other short video platforms.

Features

  • Detect platform from URL automatically
  • Support for TikTok, Instagram Reels, YouTube Shorts, Xiaohongshu
  • Extract video metadata (title, author, likes)
  • Generate download links

Price

  • 0.001 USDT per download
  • Payment via SkillPay (BNB Chain)

Usage

"Download video from https://www.tiktok.com/v/..."
"Save this Instagram Reels"
"Download YouTube Shorts"
"Get this Xiaohongshu video"

Supported Platforms

  • TikTok (tiktok.com)
  • Instagram Reels (instagram.com/reel)
  • YouTube Shorts (youtube.com/shorts)
  • Xiaohongshu (xiaohongshu.com)

Example Response

{
  "platform": "tiktok",
  "url": "https://...",
  "title": "Video title",
  "author": "@username",
  "likes": "100K",
  "status": "ready_to_download"
}

Integration

  • API Key: sk_93c5ff38cc3e6112623d361fffcc5d1eb1b5844eac9c40043b57c0e08f91430e
  • Price: 0.001 USDT per call
  • Payment: SkillPay automatic charging

Comments

Loading comments...