ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Morfeo UGC Engine

v1.0.0

Genera y gestiona videos UGC para marcas argentinas con pipeline completo, desde guión hasta publicación en redes, con control manual y logs.

0· 265·2 current·2 all-time
byPaul de Lavallaz@pauldelavallaz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (UGC pipeline for Argentine brands) aligns with the SKILL.md operations (creating runs, advancing pipeline, selecting shots, publishing). Minor inconsistencies: README claims Telegram integration but there are no files or install steps implementing a Telegram bridge, and the source/homepage is unknown.
!
Instruction Scope
The SKILL.md instructs the agent to interact with a local API, read project files under ~/clawd/projects, list outputs, view logs, and run pm2 restart/start commands. Those actions are coherent for a supervisor of a local service but they grant the agent filesystem and process control (restarting services, reading logs/files). The skill does not declare that it needs those privileges in metadata, which is a scope disclosure issue.
Install Mechanism
Instruction-only skill with no install spec and no code files present — lowest install risk. Nothing is downloaded or written by an installer here.
!
Credentials
Metadata lists no required env vars, but SKILL.md references a bearer token and an optional $MORFEO_API_TOKEN and even provides a hardcoded admin token ('morfeo-admin-2026'). Embedding a privileged token in the instructions and failing to declare required credentials is disproportionate and insecure. No unrelated cloud credentials are requested, however.
Persistence & Privilege
always is false and there is no install step that would grant persistent system presence or modify other skills. The skill requests operational actions (pm2 restarts) but does not claim permanent inclusion or elevated platform privileges.
What to consider before installing
This skill is plausible for controlling a local UGC engine but exercise caution: 1) Confirm you actually run a Morfeo Engine at http://localhost:3336 before installing; 2) Do not rely on the hardcoded token in the SKILL.md — treat it as a placeholder and configure a least-privilege token via an environment variable (and ask the maintainer to declare MORFEO_API_TOKEN in metadata); 3) Understand that the skill's instructions include commands that read project files and restart services (pm2) — only grant such control in a trusted, isolated environment; 4) Ask the publisher for the source repo or homepage and verify the maintainer identity before use (README references a GitHub repo but the skill package lacks source); 5) If you intend to expose this to a multi-user or production system, audit the local API for what the admin token can do (privilege escalation, deletion, publishing) and rotate/change tokens as needed.

Like a lobster shell, security has layers — review code before you run it.

latestvk978622v7crajn33s0s5pp6rrs82epyt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments