Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Seedance Cog
v1.0.8AI video generation powered by CellCog via Seedance. Cinematic 1080p video with smooth motion, multi-shot narratives, lipsync, voice synthesis, scoring. Comp...
⭐ 2· 865·6 current·6 all-time
byCellCog@nitishgargiitd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and description (Seedance / CellCog video generation) match the SKILL.md content: it instructs the agent to use the CellCog SDK to orchestrate Seedance and other models. However, the SKILL.md frontmatter lists a dependency 'cellcog' and the text requires setting CELLCOG_API_KEY, but the registry metadata lists no required env vars or declared dependency — an inconsistency.
Instruction Scope
The runtime instructions are focused on creating video tasks via the CellCog client and on install/auth steps. They do not instruct the agent to read arbitrary files or exfiltrate unrelated data. One item to note: examples use notify_session_key values (e.g., 'agent:main:main') which cause interaction with agent sessions — expected for an orchestration skill but worth confirming intended behavior.
Install Mechanism
This is an instruction-only skill (no install spec), so nothing is automatically downloaded by the skill itself. The SKILL.md tells users to run '/cellcog-setup', 'clawhub install cellcog', or 'pip install -U cellcog' — normal for an SDK-based integration, but installing third‑party pip packages runs code from PyPI and should be vetted separately.
Credentials
SKILL.md explicitly tells users to set CELLCOG_API_KEY (and references authentication/setup flows), but the registry metadata declares no required environment variables or a primary credential. The skill will need at least one API key to function; the omission is a mismatch that could confuse users and hide a credential requirement.
Persistence & Privilege
The skill does not request always:true and does not claim elevated persistence. Autonomous invocation is allowed (default) which is normal for skills; nothing in the file attempts to modify other skills or system-wide agent settings.
What to consider before installing
Before installing or enabling this skill: 1) Ask the publisher to correct the registry metadata to declare the 'cellcog' dependency and a required primary env var (e.g., CELLCOG_API_KEY) so you know what credentials are needed. 2) Only provide an API key you control and understand the billing/privacy implications — the skill calls an external video-generation service and will upload prompt/content. 3) Review the 'cellcog' SDK (pip package) source or verify publisher trustworthiness before running pip install, since packages execute code at install time. 4) Confirm how notify_session_key/agent modes are used so you know which agent sessions get notifications or outputs. 5) If you have low tolerance for data leakage, test the integration in an isolated account/project with limited credentials or a throwaway API key first.Like a lobster shell, security has layers — review code before you run it.
latestvk9794fhy9jgr6qh15xb3bh1nk584vkkp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🌱 Clawdis
OSmacOS · Linux · Windows