Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Viral Short Video
v1.0.0Generate 30 fully produced viral short-form videos with AI-driven trend analysis, scripting, voiceover, visuals, captions, hashtags, and a 30-day posting cal...
⭐ 0· 39·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's name/description (generate 30 produced short-form videos) matches the SKILL.md workflow (scrape trends, generate scripts via Claude, produce videos via InVideo). The overall capability is coherent with its stated purpose. However, the workflow depends on several third-party services (Apify scrapers, InVideo AI, Claude) that are not reflected in the skill's declared requirements, which is an inconsistency to address.
Instruction Scope
Runtime instructions call for scraping top 100 videos across TikTok/Instagram/YouTube, Google Trends and Reddit using Apify, running AI script generation (Claude), and calling InVideo to produce videos. The SKILL.md explicitly expects API keys and tokens in its input examples (apify_token, invideo_api_key) but the skill metadata declares no required env vars. The instructions thus require network access and sensitive credentials that are not declared; that mismatch increases risk and surprises users.
Install Mechanism
No install spec and no code files — instruction-only skill. This reduces risk from arbitrary packages or downloads because nothing is written to disk by an installer. The security surface is the runtime instructions and any network calls they cause.
Credentials
The SKILL.md references at least three service credentials (apify_token, invideo_api_key, and use of Claude/Anthropic credentials implicitly) but the skill metadata lists no required environment variables or primary credential. Requesting/using multiple third-party API keys is proportionate to the described workflow only if they are declared and limited to those services; here the metadata omission is a red flag. Users need to know exactly which secrets will be requested, how they are stored/used, and whether the agent will retain them.
Persistence & Privilege
always is false and there's no indication the skill modifies other skills or requests permanent elevated presence. The skill can be invoked autonomously (default) which expands its blast radius, but that is the platform default and not by itself a new concern here.
What to consider before installing
Before installing: (1) Ask the publisher to declare required environment variables and primary credential(s) — specifically confirm where apify_token, invideo_api_key, and any Claude/Anthropic key are expected to be provided and whether they are stored. (2) Do not provide sensitive API keys until you confirm the exact usage, retention policy, and where network calls originate. (3) Confirm whether the skill will post on platforms or only produce downloadable files; if posting is supported, require explicit OAuth scoped tokens and review posting scope. (4) Be aware scraping public content may violate platform TOS and could surface copyrighted material — ask the author how scraped assets are licensed and whether the service fetches protected content. (5) Prefer ephemeral, per-run credentials or a sandboxed account for testing rather than your primary production keys.Like a lobster shell, security has layers — review code before you run it.
latestvk971s84eky2jaz701yhrqeh44d83x8sc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.