ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AI Video Gen CN

v1.0.0

End-to-end AI video generation - create videos from text prompts using image generation, video synthesis, voice-over, and editing. Supports OpenAI DALL-E, Re...

0· 72·1 current·1 all-time
by@onlyloveher
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, SKILL.md, and the Python scripts align: the code implements image generation, video synthesis (via LumaAI placeholder), TTS (OpenAI), and FFmpeg editing. However, registry metadata earlier claimed 'Required env vars: none' while the SKILL.md, README.md, and scripts rely on multiple API keys. Also skill.yaml only declares OPENAI_API_KEY and REPLICATE_API_KEY but the runtime uses LUMAAI_API_KEY, RUNWAY_API_KEY, and ELEVENLABS_API_KEY as well. These mismatches between declared requirements and actual code are concerning because they obscure what sensitive data the skill will require.
Instruction Scope
SKILL.md instructions remain within the stated purpose: they show how to run scripts, set API keys, install dependencies, and use FFmpeg. The code reads .env, invokes network APIs (OpenAI, Replicate, LumaAI endpoints), writes image/audio/video files to disk, and calls ffmpeg via subprocess. Nothing in the instructions asks the agent to read unrelated system files or exfiltrate arbitrary data. Concerns: SKILL.md and README reference additional scripts (multi_scene.py, edit_video.py, examples/ folder) that are not present in the package — this inconsistency could confuse users or hide intended flows. The LumaAI call in generate_video.py is implemented as a placeholder that uploads a local path as JSON; if left unmodified it may not work as intended.
Install Mechanism
No binary download/install spec is embedded in the skill bundle. It's instruction-only for installation (pip install -r requirements.txt) and includes requirements.txt. No remote, arbitrary archive downloads or obscure install URLs are used. The only potentially risky external dependency is the requirement to have FFmpeg available (invoked via subprocess), but this is expected for video tooling.
!
Credentials
The environment variables the code uses (OPENAI_API_KEY, REPLICATE_API_TOKEN, LUMAAI_API_KEY, RUNWAY_API_KEY, ELEVENLABS_API_KEY) are appropriate for video/image/voice generation, so their presence is proportionate to the feature set. The concern is inconsistency in where those variables are declared: registry metadata lists none, skill.yaml only declares two, SKILL.md lists several. This mismatch makes it unclear which secrets the skill will actually read and whether the platform will surface prompts to provide them. Before providing keys, users should confirm which keys are actually required and whether keys will be persisted anywhere.
Persistence & Privilege
The skill does not request elevated or persistent platform privileges (always: false). It does not modify other skills' configuration nor request system-wide changes. It runs as ordinary user code, writing generated media files to the current working directory.
What to consider before installing
This package implements the advertised video, image, and TTS flows and will call external services (OpenAI, Replicate, LumaAI, etc.). Before installing or providing API keys: 1) Confirm which API keys you must supply — the bundle is inconsistent (SKILL.md, README, and skill.yaml disagree). Provide only the minimum keys you trust. 2) Inspect the code locally (generate_video.py, add_voiceover.py) to verify endpoints and behavior; these scripts perform network calls and write files. 3) Run first in an isolated environment (VM or container) and with test/limited API keys to avoid unexpected charges or data exposure. 4) Note missing referenced files (multi_scene.py, edit_video.py, examples/) and placeholder LumaAI request logic — the Luma call may not be a correct/complete integration. 5) Ensure FFmpeg on your system is a trusted binary because the scripts invoke it. If you are not comfortable auditing the code or if the source is unknown/untrusted, avoid supplying production API keys.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fkmc6zze6g8crv1csp5xash83a4n7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments