Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ai Video Gen Temp
v1.0.1End-to-end AI video generation - create videos from text prompts using image generation, video synthesis, voice-over, and editing. Supports OpenAI DALL-E, Re...
⭐ 0· 74·1 current·1 all-time
by@mmyg11
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The scripts implement an image→video→voice pipeline and legitimately need API keys for OpenAI, Replicate, LumaAI, Runway, and ElevenLabs. However, the registry metadata claims no required environment variables or credentials, which is inconsistent with the code and SKILL.md. The _meta.json owner also differs from the registry owner id, and SKILL.md/README reference files (e.g., .env.example, multi_scene.py, edit_video.py, examples/) that are not present in the bundle — these mismatches reduce trust in the package provenance.
Instruction Scope
SKILL.md instructs the agent to use external services (OpenAI, LumaAI, Replicate, ElevenLabs) and to read environment keys from a .env file — behavior consistent with the stated purpose. But SKILL.md references scripts that are missing from the repo (multi_scene.py, edit_video.py, examples/), and the LumaAI call in generate_video.py sends a local file path string in JSON ("image": image_path) rather than uploading file contents or a public URL, which looks buggy and could leak local path information to the remote API. The runtime instructions are otherwise focused on the task and do not instruct reading unrelated system files.
Install Mechanism
There is no install spec in the registry (instruction-only), but the bundle includes a requirements.txt listing common packages (openai, replicate, requests, pillow, python-dotenv). This is proportionate to the functionality and lower risk than arbitrary binary downloads, but you must pip install dependencies before running. No external download URLs or extract/install steps are present.
Credentials
The code expects multiple API credentials (OPENAI_API_KEY, REPLICATE_API_TOKEN, LUMAAI_API_KEY, RUNWAY_API_KEY, ELEVENLABS_API_KEY). Those credentials are proportionate to a multi-provider video tool, but the registry metadata declared 'no required env vars' which is inaccurate. Because the skill will call external services, providing keys grants networked access to those services (and billing), so keys should be limited and rotated if used for testing.
Persistence & Privilege
The skill does not request persistent system privileges, does not set always:true, and does not attempt to modify other skills or global agent configs. It runs as command-line scripts and uses ordinary filesystem operations (temporary filelist.txt), which is expected for its purpose.
What to consider before installing
This package contains working scripts for generating videos with third‑party APIs, but there are several inconsistencies and missing files that reduce confidence in the bundle's provenance. Before installing or running: 1) do not paste production API keys — create a throwaway key or isolated billing account for testing and rotate it afterwards; 2) inspect the code yourself (or have someone you trust do so), especially the API calls that send data to remote endpoints; 3) note SKILL.md and README reference files that are not included (.env.example, multi_scene.py, edit_video.py, examples/) and the metadata owner mismatch — treat the source as unverified; 4) be aware of cost/billing for calls to OpenAI/Runway/LumaAI/Replicate/ElevenLabs; 5) test in an isolated environment (container or VM), and if you decide to use it long-term, only enable the minimum required keys and monitor usage. If you want, I can list the exact places in code that send data to remote services and suggest minimal tests to validate behavior safely.Like a lobster shell, security has layers — review code before you run it.
latestvk97dd2gz1krck2axgy8xawm7jx8384v4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.