ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Renderful Generation

v0.1.0

Use Renderful from OpenClaw for image/video/audio/3D creation with model discovery, quote-before-generate workflow, deterministic polling, and insufficient-funds/x402 fallback.

0· 939·1 current·1 all-time
by@luv005
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (Renderful generation, quote-before-generate, polling, 402 fallback) matches the runtime instructions: list models, quote, generate, poll for status, check balance, and optionally register an agent or set webhooks. The listed tool calls are exactly what a generation service would need.
Instruction Scope
SKILL.md stays focused on generation workflow and explicitly recommends read-only calls until user approval, which is good. It does include instructions to use set_webhook and register_agent; webhooks can cause outbound transmission of generation results to arbitrary endpoints and agent registration typically creates credentials — the doc does not limit or validate webhook targets or describe where credentials are stored.
Install Mechanism
Instruction-only skill with no install spec and no code files — minimal disk/write footprint and no external packages fetched by the skill itself.
Credentials
The skill declares no required env vars or primary credential, yet it references API keys (register_agent) and payment flows (status=402, deposit_addresses, x_payment). This is not necessarily incoherent (the downstream plugin may manage keys/billing) but the SKILL.md does not describe how/where API keys or payment information will be obtained, stored, or used.
Persistence & Privilege
always:false and no installs means the skill does not request permanent inclusion or elevated platform privileges. Agent autonomous invocation is allowed (platform default). Note: autonomous invocation combined with webhook configuration or payment operations increases blast radius unless user approval is enforced for side effects.
Assessment
This skill appears to be a normal, instruction-only wrapper for Renderful's generation tools, but before installing you should: (1) confirm you trust the Renderful endpoint (https://renderful.ai) and the OpenClaw plugin implementation, (2) ask how API keys and agent registration are handled and where keys will be stored, (3) understand the billing flow and what '402' responses require — do not provide payment credentials until you verify the vendor, (4) be cautious about enabling set_webhook: only allow webhook URLs you control or trust because they can receive generated content, and (5) require explicit user approval before any side-effect action (register_agent, generate, set_webhook or payment-related operations).

Like a lobster shell, security has layers — review code before you run it.

latestvk97f90xdxyamb35yz0kg7s1np980ytwh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments