Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
ReelOnce-skill
v1.0.1ReelOnce 一体化总控 skill。单次调用即可完成从输入文本到最终视频输出的完整流程:planning、资产图/分镜图/TTS 生成、镜头视频生成、Remotion 工程生成与最终 MP4 渲染。
⭐ 0· 32·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill is presented as a local orchestrator for a ReelOnce pipeline and the included scripts simply call an installed 'reelonce' package, which is coherent. However, the documentation repeatedly requires/mentions SKILLS_VIDEO_* / CUSTOM_* / COMMERCIAL_* environment variables and instructs users to copy and source env.local — yet the registry metadata lists no required environment variables. That omission is an incoherence: the skill will practically need API keys and environment config to function, but these are not declared.
Instruction Scope
SKILL.md instructs creating a venv, running pip install -e '.[dev]', copying and sourcing env.local, running npm install inside generated Remotion projects, and sending asset references to commercial video services (either URLs or base64-encoded images). These operations are within the stated purpose, but they include reading local files and potentially converting and sending local images as base64 to external endpoints — behavior that should have been made explicit in the metadata and permission model.
Install Mechanism
There is no registry install spec (instruction-only skill with small helper scripts). The README instructs standard pip editable install and npm install in the generated Remotion project. Those are expected for this kind of project and are not themselves suspicious, but they do mean code from the 'reelonce' package and npm packages will be installed and executed on the host.
Credentials
Although the registry lists no required env vars, SKILL.md clearly expects variables like SKILLS_VIDEO_API_KEY, SKILLS_VIDEO_IMAGE_MODEL, SKILLS_VIDEO_VIDEO_MODEL and supports CUSTOM_* / COMMERCIAL_* variants. Requiring API keys and other secrets is proportionate to the task, but the metadata failing to declare them is a mismatch. Also, instructing users to 'set -a && source ./env.local' will export all variables from env.local into the environment — potentially exposing many secrets if env.local contains unrelated credentials.
Persistence & Privilege
The skill is not forced-always (always: false) and does not request system-wide changes in the provided files. It runs subprocesses (calls into the installed 'reelonce' package and will run npm in generated project directories) but does not itself modify other skills or global agent config.
What to consider before installing
Before installing or running this skill: (1) review env.local.example to see which API keys and variables it expects (SKILLS_VIDEO_*, CUSTOM_*, etc.) — the registry metadata omits these; (2) understand that running the skill will install and run the 'reelonce' Python package and npm packages (inspect their provenance and code if you don't trust the source); (3) the pipeline may upload images (URLs or base64) to external video services — don't run it with sensitive local images or credentials present; (4) avoid blindly sourcing env.local from untrusted sources (it can export many secrets); (5) if you want to proceed, run it in an isolated environment (container or VM), inspect the installed reelonce package first, and only provide API keys for services you trust.Like a lobster shell, security has layers — review code before you run it.
latestvk976s7xsp211fez8pz8j5ma8bs84ckrw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.