Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Jimeng Video
v1.0.0即梦AI视频生成工具(带声音版本),通过火山引擎API自动生成带音频的高质量视频。支持文生视频、图生视频,适用于短视频内容创作。
⭐ 0· 152·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to generate videos (with audio) via Volcengine/Dreamina and the SKILL.md provides curl calls to a Volcengine API endpoint — that is coherent with the stated purpose. However, the registry summary at the top claims no required env vars while skill.yaml and SKILL.md say API keys are required, and the skill package metadata owner/homepage values do not match the registry metadata. These metadata mismatches are unexpected and reduce trust.
Instruction Scope
Instructions are instruction-only and direct the agent to POST/GET to https://ark.cn-beijing.volces.com/api/v3/contents/generations/tasks to create and check tasks — appropriate for a video-generation skill. They also instruct storing credentials under ~/.openclaw/.credentials/volcengine-dreamina.env. A problematic detail: the curl examples use ${API_KEY} while skill.yaml documents VOLCENGINE_ACCESS_KEY_ID and VOLCENGINE_SECRET_ACCESS_KEY, creating ambiguity about which environment variables the agent will read. No other file-system paths or unrelated credentials are referenced.
Install Mechanism
No install spec and no code files are present — the skill is instruction-only, so nothing is downloaded or written by an installer. This is lower-risk from an install-mechanism perspective.
Credentials
The skill requires API credentials for Volcengine/Dreamina (VOLCENGINE_ACCESS_KEY_ID and VOLCENGINE_SECRET_ACCESS_KEY per skill.yaml and SKILL.md), which is proportionate to calling the vendor API. However, the top-level registry summary listed 'Required env vars: none', and the examples use an undefined ${API_KEY} variable instead of the declared variable names. The inconsistency could lead the agent to look for or prompt for unexpected env vars (e.g., API_KEY). No unrelated credentials are requested.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system privileges or to modify other skills. It stores credentials in a skill-specific path per its docs, which is normal for API-based skills.
What to consider before installing
This skill appears to call Volcengine's Dreamina API and legitimately needs Volcengine API keys, but the package has several inconsistencies that merit caution: (1) registry metadata says no env vars required while skill.yaml and SKILL.md require VOLCENGINE_ACCESS_KEY_ID and VOLCENGINE_SECRET_ACCESS_KEY; (2) curl examples use ${API_KEY} (a different variable name), which could cause the agent to try to read an unexpected env var; (3) owner IDs/homepage/published metadata differ across files. Before installing: confirm the skill's source and author (verify homepage/registry publisher), only provide a minimal-scope Volcengine API key (or a test account) rather than high-privilege keys, and ensure you understand which env var the skill will actually use (map API_KEY to your Volcengine credentials if necessary). If you cannot verify the publisher or the metadata discrepancies, avoid installing or run it in an isolated environment. If you want, provide the registry/owner details or the platform mapping the agent uses for env vars and I can help map which credential names will be used at runtime.Like a lobster shell, security has layers — review code before you run it.
latestvk973jznmts86j2t7pjysy4935d83pbmw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.