ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cinematic Kling

v1.0.2

Generate 5-second cinematic AI videos using Kling via ComfyDeploy. Takes a character image, item image, and location image, then produces a character sheet,...

0· 112·0 current·0 all-time
byPaul de Lavallaz@pauldelavallaz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose — generating 5-second videos via Kling on ComfyDeploy — matches the runtime calls to ComfyDeploy endpoints. However, the skill runtime relies on an environment variable (COMFY_DEPLOY_API_KEY) and on uploading files to ComfyDeploy storage even though the registry metadata lists no required env vars or primary credential. That omission is an incoherence: a deployment integration legitimately needs an API key and should declare it.
!
Instruction Scope
SKILL.md instructs the agent to 'source ~/clawd/.env' and to upload local files to ComfyDeploy. Sourcing a local .env reads arbitrary secrets from the user's home directory (unrelated to the skill's stated inputs) and is unnecessary if the only required secret is a single COMFY_DEPLOY_API_KEY which should be requested explicitly. The instructions also strongly push using ComfyDeploy storage for all inputs, which could result in user data being uploaded to the provider rather than a user-controlled endpoint. The mandatory use of an image tool to classify images is fine, but the explicit guidance to read a local .env is scope creep and increases risk of secret exposure.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so it doesn't write or execute new code on disk. That reduces install-time risk.
!
Credentials
The instructions clearly require COMFY_DEPLOY_API_KEY for Authorization, but the skill metadata lists no required env vars. Additionally, sourcing ~/clawd/.env could leak many unrelated secrets (AWS keys, other API tokens). Asking users to place or source secrets in a local .env without declaring them and without explaining minimal required privileges is disproportionate.
Persistence & Privilege
The skill does not request always: true and makes no claims about persisting itself or modifying other skills. Autonomous invocation is permitted (platform default) but not combined with other high-risk privileges here.
What to consider before installing
This skill appears to do what it says (call ComfyDeploy to generate short videos), but its SKILL.md asks you to 'source ~/clawd/.env' and uses a COMFY_DEPLOY_API_KEY without declaring it in the registry. Before installing or running: (1) require the publisher to declare the exact environment variables the skill needs (COMFY_DEPLOY_API_KEY) and why; (2) never source or import a user's ~/.env — ask the user to set only the minimal COMFY_DEPLOY_API_KEY in a named variable; (3) consider whether you’re comfortable uploading image files to the ComfyDeploy service (they will be stored on third-party S3); and (4) avoid using this skill if your ~/.env contains other sensitive keys (AWS, database credentials, slack tokens), because the current instructions could accidentally expose them. If the author can remove the 'source ~/.env' step and explicitly declare the single required API key, the incoherence would be resolved and the risk lowered.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eh28hy7f17948d1qat2vve5834x5n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments