Shell Image Video
Security checks across malware telemetry and agentic risk
Overview
The skill matches its AI image/video purpose, but it uses an undeclared embedded RunningHub API key and points the agent to run local scripts that were not included for review.
Review carefully before installing. Only use this skill if you trust the missing local scripts or can inspect them, replace the embedded RunningHub key with your own scoped key, and are comfortable uploading the selected media to RunningHub and paying any associated workflow costs.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may use a RunningHub account or billing credential that the user does not control or understand.
The skill exposes a preconfigured API token and also says a RunningHub API token environment variable is needed, while the supplied metadata declares no credential requirement.
## API Key 已预配置:`7192bd7e...8576705` ... - RunningHub API Token(环境变量 `RUNNINGHUB_API_KEY`)
Remove the embedded key, declare the RunningHub credential requirement in metadata, and require users to configure their own scoped API key.
If those scripts exist locally or are added later, the agent would execute code that was not included in this review.
The skill tells the agent to run helper scripts from a local workspace path, but the provided artifact set contains only SKILL.md with no install spec or script files.
`~/.openclaw/workspace/Shell-openclaw-image-video-skill/` ... node scripts/runninghub-face-swap.js --face=./photo.jpg --prompt="场景描述"
Include the referenced scripts and dependency manifest in the reviewed package, or clearly document a trusted installation source and require user confirmation before execution.
Photos, videos, and voice samples may be processed by an external provider and could have privacy or consent implications.
The workflow sends user-selected images, videos, and voice samples to RunningHub APIs; this is purpose-aligned but involves sensitive personal media leaving the local environment.
→ 上传图片 → 调用 face-swap 工作流 → 返回结果图 ... 需要:人像 + 5-10秒语音样本 + 文案
Use only media you have rights and consent to upload, and review RunningHub’s retention, privacy, and billing terms before running workflows.