Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ai Video Gen 1.0.0
v1.0.0End-to-end AI video generation - create videos from text prompts using image generation, video synthesis, voice-over, and editing. Supports OpenAI DALL-E, Re...
⭐ 0· 70·1 current·1 all-time
by@matttgx
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description and the included Python scripts match an AI video-generation purpose (image generation, video synth via LumaAI, TTS, FFmpeg). However the registry metadata claims no required environment variables while both SKILL.md and the code require multiple provider API keys (OPENAI_API_KEY, REPLICATE_API_TOKEN, LUMAAI_API_KEY, RUNWAY_API_KEY, ELEVENLABS_API_KEY). This mismatch between what the skill states it needs in metadata and what it actually uses is an incoherence.
Instruction Scope
SKILL.md and README instruct setting .env.example and refer to extra scripts/folders (multi_scene.py, edit_video.py, examples/) that are referenced but not present in the file manifest. The runtime instructions direct the agent to use provider APIs and to download assets from returned URLs (expected for this purpose) but they also assume platform-specific FFmpeg install steps (winget) and a .env.example that doesn't exist—these are sloppy and could mislead users.
Install Mechanism
There is no install spec in the registry (instruction-only style). The project includes a requirements.txt and the SKILL.md suggests pip install openai requests pillow replicate python-dotenv (consistent). There are no downloads from unknown hosts or archive extraction in the install instructions. The only mild concern is the reliance on an external FFmpeg binary (assumed installed via winget) which is platform-specific and not enforced by an install script.
Credentials
The code legitimately uses multiple API keys relevant to the stated functionality (OpenAI, Replicate, LumaAI, Runway, ElevenLabs). That use is proportionate to an end-to-end video generator. However the registry lists no required env vars and the package metadata ownerId in _meta.json differs from the registry ownerId presented — this inconsistency makes it unclear what credentials will actually be needed and who published the package.
Persistence & Privilege
The skill does not request permanent 'always' inclusion, does not modify other skills' configuration, and does not attempt to run background services or persist credentials. It runs scripts and uses subprocess to call FFmpeg and performs network calls to provider APIs — expected for this functionality.
What to consider before installing
This package appears to implement the advertised video-generation features, but metadata and docs are inconsistent in several ways. Before installing or running it: (1) verify the publisher/source — the ownerId in _meta.json doesn't match registry metadata and there's no homepage; prefer code from a known repo. (2) Expect to provide API keys for OpenAI/Replicate/LumaAI/Runway/ElevenLabs; the registry incorrectly reports no required env vars. Create scoped/limited API keys if possible and avoid using high-privilege keys. (3) Inspect missing references (.env.example, multi_scene.py, examples/) and confirm the scripts you need are present; the docs reference files that are not in the bundle. (4) Run the code in an isolated environment (container or VM) because it executes subprocesses (ffmpeg) and makes network calls to third-party APIs. (5) If you need to trust this skill in production, ask the publisher to fix the metadata (declare required env vars, provide homepage/repo) and provide a reproducible install/setup script. If you want, provide the registry metadata or publisher contact and I can reassess with that context.Like a lobster shell, security has layers — review code before you run it.
latestvk97fkwy5wss3sdvz2t9dab7h9183bjp5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.