ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alibaba Ai Video Wan Video

v1.0.0

Alibaba Cloud Wanx Video Generation - Text to Video, Image to Video, Video Editing

0· 85·0 current·0 all-time
by@powersyang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name, description, scripts and examples all target Alibaba Cloud 'Wanx' video generation and the declared env var (DASHSCOPE_API_KEY) matches the scripts' expectation. However, the repository contains an embedded API key literal (sk-...) and two slightly different video API endpoints in different scripts, which is inconsistent with a clean integration.
!
Instruction Scope
SKILL.md instructs running provided shell scripts which perform network calls to external endpoints (dashscope.aliyuncs.com) with the user's prompt and then download the resulting video. That is expected for this feature, but the scripts will use a built-in fallback API key if the DASHSCOPE_API_KEY environment variable is not set — meaning the skill will send data using an embedded credential without explicit user consent. The README also references additional scripts (e.g., wanx-i2v.sh, wanx-digital-human.sh) that are not present.
Install Mechanism
There is no install spec (instruction-only), which is low-risk, but the package does include executable shell scripts that will be run. No external archives or third‑party package installs are specified.
!
Credentials
Only one env var (DASHSCOPE_API_KEY) is declared which is proportionate for an API integration. However, both scripts contain a hardcoded API key literal and one script falls back to that literal if the env var is missing. Hardcoded credentials undermine the declared env-var model and risk unauthorized usage, credential leakage, or unexpected billing.
Persistence & Privilege
Skill does not request elevated or persistent privileges (always:false), and does not modify other skills or system-wide settings. Autonomous invocation is allowed by default but not an additional privilege here.
What to consider before installing
Do not run these scripts in a production environment or with sensitive prompts until the credential issue is resolved. Specific actions to consider: - The scripts include a hardcoded API key (sk-...) and will use it if DASHSCOPE_API_KEY is not set — this is a major red flag. Ask the publisher to remove any embedded keys and require the user to supply their own API key. - Verify the endpoints (dashscope.aliyuncs.com) and confirm they are official for your Alibaba/Bailian account. If in doubt, consult Alibaba docs or network-monitor the calls in a sandbox. - If you or your organization accidentally used the embedded key, rotate relevant credentials immediately. - Prefer a version where the script fails if DASHSCOPE_API_KEY is missing (no fallback), and has no hardcoded secrets. Also request that the author include the missing helper scripts referenced in the README or correct the examples. - Run the code in an isolated environment (container/VM) if you want to test it, and inspect network traffic and responses before using real data or paying for generation. Given the presence of an embedded credential and minor inconsistencies, treat this skill as suspicious until the author fixes the hardcoded key and clarifies endpoint/behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk975skh88snsbwha8x9a29bj8583rej7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvDASHSCOPE_API_KEY

Comments