ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Ad Creator

v1.0.0

Create fully produced, platform-optimized video ads from text briefs, including scripts, voiceovers, visuals, captions, CTAs, and export-ready formats.

0· 26·0 current·0 all-time
by@nicemaths123
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description claim (produce platform-optimized video ads) matches the instructions: SKILL.md describes using the InVideo API to generate scripts, voiceovers, captions, and exports. The endpoints and examples align with the stated purpose.
!
Instruction Scope
The runtime instructions explicitly tell the user/agent to create and export an INVIDEO_API_KEY and show code that reads process.env.INVIDEO_API_KEY, but the skill registry metadata lists no required environment variables. The SKILL.md otherwise stays on-topic and does not request unrelated files or credentials.
Install Mechanism
This is an instruction-only skill with no install spec or code files, which is low-risk. The SKILL.md recommends running `npm install axios fs-extra` for the JavaScript examples — reasonable for the examples, but the skill does not provide an automated install spec or vetted package versions.
!
Credentials
The skill requires an InVideo API key to operate (SKILL.md instructs storing INVIDEO_API_KEY in the environment), but the registry metadata does not declare any required env vars or primary credential. That mismatch reduces transparency about what secrets will be used and stored.
Persistence & Privilege
Skill flags are default (always:false, user-invocable:true, model invocation enabled). There is no request for permanent presence or privileged system modifications in the instructions.
Scan Findings in Context
[NO_CODE_FILES] expected: The package is instruction-only; the regex scanner had no code to analyze. This is expected for a SKILL.md-only skill, but it means static analysis did not inspect runtime behavior.
What to consider before installing
This skill appears to do what it says (call the InVideo API to generate ads), but the SKILL.md asks you to set an INVIDEO_API_KEY while the registry metadata lists no required environment variables — ask the publisher to clarify and update the metadata. Before installing: 1) Confirm you are comfortable storing an InVideo API key in the environment (this key can trigger API actions and potentially incur charges). 2) Prefer creating a limited-scope/test API key on InVideo if possible. 3) Review the affiliate/signup link and verify you're using the official InVideo domain. 4) Because the skill is instruction-only, it will rely on whatever runtime the agent has; ensure you trust the agent and monitor network/API usage and billing after first use. If the publisher cannot or will not correct the missing declared env var, treat the skill with extra caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk976nme32m91zg15rmb4q0vkxd843a8q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments