ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Filtrix Video Gen

v0.1.0

Generate videos through Filtrix Remote MCP. Use when users ask for text-to-video, image-to-video, video task polling, or downloading completed videos with ge...

0· 194·1 current·1 all-time
by@lumenclaw-cloud
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description, SKILL.md, and the scripts consistently target Filtrix MCP (https://mcp.filtrix.ai/mcp) and perform text→video, image→video submission, polling, and downloading — that capability is coherent. However the registry metadata claims 'Required env vars: none' and 'Primary credential: none' while both SKILL.md and the code require FILTRIX_MCP_API_KEY (with MCP_API_KEY as a fallback). This mismatch between declared registry requirements and actual runtime requirements is unexpected and should be corrected/clarified.
Instruction Scope
SKILL.md and scripts limit behavior to: call the MCP endpoint, optionally read a local image file (for image-to-video), base64-encode and upload that image, poll get_video_status, and download the video bytes from the returned video URL. The instructions do not reference unrelated system files or extra credentials. The scripts write output files (default under /tmp) and will download whatever URL the MCP returns (expected behavior for this tool).
Install Mechanism
No install spec (instruction-only) and included Python scripts only — nothing is downloaded from external arbitrary URLs at install time. This is lower risk than an installer that pulls remote archives. The skill runs local Python code, which is normal for a script-based integration.
!
Credentials
Runtime requires FILTRIX_MCP_API_KEY (and will accept MCP_API_KEY) to authenticate to the Filtrix MCP endpoint; that is proportionate to the stated purpose. The concern is the registry metadata failing to declare this required credential. Also note the scripts will read local image files and upload their base64 content to the remote service — that is expected but users should be aware they may transmit any provided files to Filtrix.
Persistence & Privilege
The skill does not request permanent/always-on inclusion, does not modify other skills or agent-wide settings, and does not persist secrets itself. Autonomous invocation is allowed (platform default) but not combined with other high-risk privileges here.
What to consider before installing
Before installing, note that the scripts require a FILTRIX_MCP_API_KEY (the registry metadata incorrectly omits this). The skill will send any provided image files (base64) and prompts to the Filtrix MCP endpoint and will download video bytes from URLs returned by that service; only supply non-sensitive images or content you are willing to transmit. Verify the MCP endpoint (https://mcp.filtrix.ai/mcp) and that the API key you provide has the minimal necessary scope/credits. If you don't recognize the owner, ask for clearer metadata (declare required env vars) or review the included Python files yourself. If you need a higher assurance level, request the publisher to correct the registry metadata and supply an official homepage or source repository before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk979bh6pv98rykt2zckgvjg59182p8yd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments