Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Viral Short Videos
v1.0.0Automatically generate 30 viral short-form videos with AI-scripted hooks, captions, voiceover, and visuals tailored to your niche, optimized for TikTok, Reel...
⭐ 0· 48·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
The stated purpose (automatically produce 30 short videos) matches the tools and workflow described (scrape viral content, analyze patterns, generate scripts with Claude, produce videos with InVideo via API). However, that functionality legitimately requires API credentials (Apify token, InVideo API key, and likely a Claude API key/billing account) and possibly external account billing. The registry metadata lists no required env vars or primary credential, which does not align with the claimed capabilities.
Instruction Scope
The SKILL.md explicitly instructs scraping the top 100 videos across TikTok, Instagram Reels, and YouTube Shorts and sending data to Apify and InVideo. It also requires sending niche/brand data and generated content to external services. While these actions are coherent with the purpose, they involve transmitting possibly sensitive input data and scraped platform content off‑agent. The instructions reference API tokens and other secrets in the example input, but do not restrict or document how those secrets are handled or stored.
Install Mechanism
This is an instruction‑only skill with no install spec and no code files, so there is no installer that writes or executes downloaded code on disk. That limits local persistence and supply‑chain risk.
Credentials
The SKILL.md requires (or expects) at least an Apify token and an InVideo API key in its inputs, and it references Claude AI for script generation — all of which are credentials with network/billing privileges. Yet the registry metadata declares no required environment variables or primary credential. Missing declarations are a mismatch that could hide data exfiltration or unexpected credential use. The number and sensitivity of the credentials implied are proportionate to the task, but they should be explicitly declared and limited to least privilege.
Persistence & Privilege
always is false and the skill is user‑invocable; it does not request permanent presence or to modify other skills. Autonomous model invocation is allowed by default but is not combined with other high‑privilege flags here.
What to consider before installing
Before installing or running this skill: (1) Ask the publisher to explicitly list required credentials (Apify token, InVideo API key, and Claude API key or instructions for using Claude) in the registry metadata and explain how credentials are used, stored, and rotated. (2) Use least‑privilege API keys or separate accounts for this skill (do not give your primary Apify/InVideo/Claude credentials). (3) Confirm whether the skill will upload scraped platform content to third parties and review any copyright/ToS implications for scraping TikTok/Instagram/YouTube. (4) Verify billing implications with the third‑party services (APIs may incur charges). (5) If you are uncomfortable with the skill autonomously transmitting data to external services, refrain from granting API keys or run it in a controlled/test environment first. Finally, request source/homepage or contact info for the owner — the skill currently lacks provenance information, which reduces accountability.Like a lobster shell, security has layers — review code before you run it.
latestvk97988n3wvhnpjtwfbh8cw3kzd84arc3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.