Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AI UGC Videos
v1.0.0Generate fully produced UGC-style video ads with AI-driven scripts, real visuals, voiceovers, and campaign strategy for Facebook, TikTok, and Instagram.
⭐ 0· 33·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md outlines scraping Meta Ad Library, TikTok, Amazon, Reddit and using Apify, InVideo AI and Claude to produce videos. Those capabilities legitimately require API tokens or service accounts (Apify token, InVideo API key, likely an LLM key or platform model access). The registry metadata lists no required environment variables or credentials — this is inconsistent and unexpected for the described workflow.
Instruction Scope
The instructions themselves stay within the claimed ad-production scope (collect competitor ads, mine customer language, generate scripts, produce videos, output campaign strategy). They explicitly describe scraping external sites and sending content to InVideo/Claude, which is expected for the purpose. However, the SKILL.md instructs use of third‑party services and example input includes secrets (apify_token, invideo_api_key) even though the manifest doesn't declare them — the runtime behavior will require transmitting scraped and product data to external endpoints, so users should know where keys are used and how data is handled.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. Nothing on-disk will be added by an installer as presented.
Credentials
The example inputs in SKILL.md include 'apify_token' and 'invideo_api_key' (and implicitly LLM usage via Claude). The manifest, however, declares no required env vars or primary credential. Requiring multiple external API keys to operate is reasonable, but the manifest should declare them. The omission is either an oversight or an attempt to avoid exposing that sensitive credentials will be needed; either way it's disproportionate/incoherent as published.
Persistence & Privilege
The skill is not always-included, is user-invocable, and does not request persistent system presence or modify other agent settings. No elevated privileges are declared.
What to consider before installing
This skill describes a workflow that will send product and scraped competitor/customer data to third‑party services (Apify, InVideo, Claude). Before installing or using it: 1) Ask the publisher to update the manifest to list required credentials (Apify token, InVideo API key, any LLM key) and explain exactly how and where those keys are used and stored. 2) Prefer providing short‑lived or scoped API keys and create dedicated accounts for this skill rather than reusing high‑privilege credentials. 3) Confirm data handling and retention policies for Apify/InVideo/Claude (do they keep copies of uploaded content?). 4) Verify legal/terms compliance for scraping Meta/TikTok content in your jurisdiction and for the target accounts. 5) If you decide to test it, do so with non-sensitive sample data and revoke keys after testing. If the publisher can show a corrected manifest and clear data‑flow (or provide code that runs locally without sending secrets to unknown servers), this assessment could change to benign.Like a lobster shell, security has layers — review code before you run it.
latestvk971kjxax5gn8fte2dbxdteq3s840krm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.