ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

anyvideos

v1.0.4

Download videos, images, and audio from YouTube, Twitter, Instagram, Facebook, Vimeo, Tumblr, TikTok, Bilibili, and 1000+ more websites. Just paste a URL and...

0· 119·0 current·0 all-time
bymstsc@mstscmsn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is a downloader that calls a third‑party API (https://anyvideos.yx.lu) and needs an API key; the single required env var ANYVIDEOS_API_KEY is proportional and consistent with that purpose.
Instruction Scope
SKILL.md restricts actions to calling the AnyVideos API, downloading files with curl/wget, optionally merging with ffmpeg, checking file sizes, and cleaning temp files. It does not instruct reading unrelated system files or exporting data to unexpected endpoints. It does require the agent to display a welcome/setup message when the key is missing.
Install Mechanism
There is no install spec or code to fetch — the skill is instruction-only. The only recommended system requirement is ffmpeg, which is reasonable for video merging and is documented with standard install commands.
Credentials
Only ANYVIDEOS_API_KEY is required. That matches the described API usage. No other secrets, unrelated cloud credentials, or config paths are requested.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide configuration changes or access to other skills' credentials. It will operate only when invoked.
Assessment
This skill appears to do what it says: it wraps a third‑party downloader API and uses ffmpeg/curl to fetch and merge media. Before installing, consider: 1) trust and reputation of https://anyvideos.yx.lu (you will create an account and sign in — the site requests Google login); 2) keep your ANYVIDEOS_API_KEY secret (store it only in the agent/platform's secure config), and be aware the key ties to billing/quotas shown in API responses; 3) downloading some content may violate sites' terms of service or copyright law — ensure you have the right to download; 4) the skill downloads potentially large files to disk — verify storage and cleanup policies and that your environment can handle large transfers; 5) direct download URLs returned by the API may point to third‑party hosts, so exercise standard caution. If you need higher assurance, verify the AnyVideos service reputation (reviews, WHOIS/SSL certificate), and consider testing with a throwaway API key and small public-domain video first.

Like a lobster shell, security has layers — review code before you run it.

latestvk9739t0tdxhtwcqsz4wk2dr2sx839e4n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvANYVIDEOS_API_KEY

Comments