Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Video AD Prod
v1.0.0Generate optimized video ads from text briefs using InVideo AI, producing scripts, voiceovers, captions, CTAs, and platform-specific exports for Facebook, In...
⭐ 0· 44·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes a video-ad generation skill that uses the InVideo API — this aligns with the skill name and description. However, the metadata declares no required credentials or binaries even though the instructions require an INVIDEO_API_KEY and instruct use of Node/npm packages, so the declared requirements do not fully match the runtime needs.
Instruction Scope
The runtime instructions stay within the stated purpose: they show how to generate scripts, call InVideo endpoints, poll job status, and request exports. The instructions do not ask the agent to read unrelated system files or exfiltrate data. They do, however, instruct the user/agent to set an INVIDEO_API_KEY environment variable (which is logical) but that credential is not declared in the skill metadata.
Install Mechanism
There is no install spec or code files (instruction-only), which is lower risk. But SKILL.md tells users to run `npm install axios fs-extra` and uses Node examples — the metadata does not list npm/node as a required binary nor include an install block. This mismatch is sloppy and could lead to runtime failures or unexpected commands run by agents that try to satisfy those instructions.
Credentials
The instructions require an InVideo API key (INVIDEO_API_KEY) and show usage of process.env.INVIDEO_API_KEY, but the skill metadata lists no required environment variables or primary credential. The absence of declared credentials prevents automated permission checks and is a proportionality/visibility issue that should be resolved before use.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. It does not request system config paths or other skills' credentials. As an instruction-only skill it doesn't install persistent components by itself.
What to consider before installing
This skill appears to implement what it claims (using InVideo's API to produce ads) but its registry metadata is incomplete: it does not declare the INVIDEO_API_KEY env var or the Node/npm expectation shown in SKILL.md. Before using/installing: (1) verify you actually want to grant an InVideo API key to whatever environment will run the agent; prefer a limited-scope or test API key on a trial account; (2) confirm the runtime has Node/npm and only install the listed npm packages in a controlled environment; (3) be aware the README includes an affiliate link (invideo.sjv.io) — that is a potential conflict of interest but not necessarily malicious; (4) ask the publisher to update metadata to declare required env vars and binaries so permission checks are accurate; and (5) monitor for unexpected network activity and avoid using any production credentials until you have validated outputs on a test account.Like a lobster shell, security has layers — review code before you run it.
latestvk97d4a78bm5q512tjs56cma54s84j7dx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.