ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

superouter-video-gen

v1.0.1

Use when the user wants to generate a video through the superouter, especially the `seedance-2.0-v1` omni-reference workflow with ordered assets, async submi...

0· 57·0 current·0 all-time
by@ningxiaoxiao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, required binary (curl) and required env var (SUPER_KEY) align with a REST-based video-generation integration; the SKILL.md only documents calls to the superouter platform and operations you would expect (upload, submit, poll, download). However the platform host (superouter.nesports.top) and lack of source/homepage reduce trust and should be verified.
!
Instruction Scope
Instructions explicitly require checking arbitrary local file paths exist and uploading them via curl (file=@/absolute/path). That is expected for an upload workflow, but the skill does not constrain which files may be referenced: an agent following these instructions could be directed to upload any local file (including sensitive files). Also the examples use HTTP (http://...) for API endpoints which would transmit the Authorization Bearer token in cleartext over the network—this is a material security concern unless the host is known to be on a trusted/private network.
Install Mechanism
Instruction-only skill with no install spec and only a curl dependency declared — minimal local install risk.
Credentials
Only one env var (SUPER_KEY) is required which is appropriate for authenticating to the platform. Concern: examples send this key over unencrypted HTTP; also the skill will cause the agent to use that key whenever it calls the remote host, so ensure the key has limited scope and can be rotated if compromised.
Persistence & Privilege
Skill is not always-enabled and does not request elevated or persistent privileges. It does not modify other skills or system configs per the provided metadata.
What to consider before installing
This skill appears to be a straightforward wrapper for a remote video-generation API and only needs curl plus a SUPER_KEY. Before installing, verify the remote service: check that superouter.nesports.top is the legitimate endpoint (ask the provider or find an official homepage), and prefer an HTTPS endpoint — sending Authorization: Bearer over http exposes the API key on the network. Treat SUPER_KEY like any secret: limit its privileges, use a disposable key for testing, and rotate it if you later suspect misuse. Be cautious about what local paths you allow the agent to upload — the instructions permit uploading arbitrary absolute paths, so do not reference sensitive files (home directories, SSH keys, environment files). If you cannot verify the service identity or HTTPS availability, consider not installing or testing only with non-sensitive assets and a test key. Additional information that would reduce concern: an official homepage or documentation, TLS/HTTPS endpoints, or explicit guidance limiting allowed upload paths.

Like a lobster shell, security has layers — review code before you run it.

latestvk971mty261pn8x86xgeec46nn1845a3s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscurl
EnvSUPER_KEY

Comments