ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agent Media: Generate AI-powered videos and images from the terminal using the `agent-media` CLI.

v1.0.1

AI UGC video production from the terminal using the `agent-media` CLI.

0· 785·6 current·6 all-time
by@nevo-david
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description match the instructions: SKILL.md tells the agent how to run the agent-media CLI to produce UGC videos, lists the flags and pipeline, and enforces domain-specific rules (actors, duration, b-roll). Required resources declared as none align with an instruction-only skill.
Instruction Scope
Instructions stay within the stated purpose (install CLI, login, run agent-media ugc with flags). However the guide explicitly tells the agent to 'visit the site yourself and extract image URLs' and to accept and auto-upload local files supplied via --broll-images. That behavior is expected for a media tool, but it grants the agent discretion to fetch arbitrary web pages and transmit local files — a potential data‑exfiltration surface if the agent has broad filesystem/network access. The SKILL.md does not impose explicit safeguards (e.g., require user confirmation before uploading local files or fetching non-public URLs).
Install Mechanism
There is no install spec in the skill bundle (lowest static risk). The instructions direct users/agents to run npm install -g agent-media-cli (an external npm package). Installing that package executes third‑party code outside the skill; this is expected for a CLI-based integration but is an additional trust step the user should verify (inspect the npm package/github).
Credentials
The skill declares no required environment variables or credentials. It does instruct performing an interactive 'agent-media login' OTP flow; that is reasonable for a CLI that uploads media. There are no unrelated credentials requested in SKILL.md.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent platform presence or modify other skills. Normal autonomous invocation is allowed by platform defaults but not excessive here.
Assessment
This skill is an instruction-only integration for a third‑party CLI and is coherent with its stated purpose, but before installing or using it you should: (1) inspect the agent-media npm package and GitHub repository to confirm authenticity and review what the CLI does; (2) avoid uploading any sensitive local files — the CLI auto-uploads files passed to --broll-images, and the skill instructs fetching arbitrary product pages; (3) prefer running the CLI in an isolated environment (throwaway VM or container) if you must evaluate it; and (4) require explicit user confirmation before the agent fetches remote pages or uploads local files. If you need higher assurance, ask the skill author for a reproducible audit trail or a vetted binary/package source.

Like a lobster shell, security has layers — review code before you run it.

latestvk975xmgknf5gmyn8sd9jrctwad828var

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌎 Clawdis

Comments