Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AI Gaming Content
v1.0.0Scrapes trending gaming data and viral clips to generate optimized scripts and produce viral gaming videos with AI for content creators and monetization.
⭐ 0· 34·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill description (scrape trends, generate scripts, produce videos) matches the SKILL.md actions, but the package metadata lists no required environment variables or install steps while the SKILL.md explicitly requires APIFY_TOKEN and INVIDEO_API_KEY and an npm install. That mismatch suggests incomplete or incorrect metadata.
Instruction Scope
SKILL.md instructs the agent to scrape many public platforms (Reddit, TikTok, YouTube, Steam, Twitter/X, Instagram, Google News) via Apify actors and to call external video production APIs. Scraping multi-platform content, potentially downloading clips and republishing them, can raise legal/TOS and privacy issues. The instructions also reference Claude AI but do not explain required credentials for it.
Install Mechanism
There is no formal install spec in the registry (instruction-only), but the SKILL.md tells users to run `npm install apify-client axios`. Instruction-only skills are lower risk than installers, but asking the user to install npm packages should have been reflected in the metadata so users know what will be written/installed.
Credentials
The registry claims no required env vars, yet SKILL.md instructs users to export APIFY_TOKEN and INVIDEO_API_KEY; it also mentions Claude AI but doesn't document any Claude/Anthropic API key. Required credentials are relevant to the stated functionality, but the omission from metadata is a proportionality/integrity problem — the skill may access secrets the metadata doesn't advertise.
Persistence & Privilege
The skill is not marked always:true and has no install spec that writes files; it is user-invocable and can be invoked autonomously (the platform default). Autonomous invocation combined with the above mismatches raises the blast radius, but autonomy alone is not unusual.
What to consider before installing
This skill's SKILL.md asks you to create and export API keys (APIFY_TOKEN and INVIDEO_API_KEY) and to install npm packages, but the registry metadata doesn't list those requirements — that's an inconsistency you should resolve before installing. Before using it: (1) confirm with the author which API keys are actually required (and whether Claude/Anthropic or TTS/music keys are needed); (2) limit API token scope where possible and use tokens you can revoke; (3) be aware that scraping and republishing clips may violate platform TOS or copyright — review legal implications; (4) watch for affiliate links in the documentation (Apify/InVideo links include tracking parameters); (5) if you are uncomfortable granting automated access to scraping/production APIs, only run this skill manually and avoid enabling autonomous invocation. If you need higher assurance, ask the publisher to update the registry metadata to list required env vars and install steps, and provide a shorter threat model explaining data flows and what gets uploaded to third-party services.Like a lobster shell, security has layers — review code before you run it.
latestvk97ap0bjqh3e8gffjw41rgtqvn843qt9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.