ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

aivideomaker-test-api

v1.0.2

Executes AIVideoMaker API workflows for text-to-video and image-to-video generation, including task creation, status polling, task details retrieval, and can...

0· 107·0 current·0 all-time
by@rainlin10
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name, description, SKILL.md, manifest, and code all describe an AIVideoMaker API executor that uses an AIVIDEO_API_KEY and Node to run workflows. One small incoherence: the top-level registry summary lists no required binaries, while SKILL.md and clawhub.manifest.json declare 'node' as a required binary and the scripts are Node (ESM) programs. Also the registry metadata earlier showed 'Primary credential: none' while the skill actually treats AIVIDEO_API_KEY as the primary credential. These are configuration/metadata mismatches but align with the runtime behavior.
Instruction Scope
SKILL.md instructs running node scripts with a JSON payload and polling/cancelling tasks. The code reads only the declared environment vars (AIVIDEO_API_KEY, optional timeout and retries) and the provided --payload argument; it does not read arbitrary host files or other credentials. Network calls are restricted to the configurable baseUrl (default https://aivideomaker.ai).
Install Mechanism
There is no install spec (instruction-only skill plus included scripts). No remote downloads or archive extraction occur. The skill contains Node scripts that would run on the host if Node is available.
Credentials
Only AIVIDEO_API_KEY is required (plus optional AIVIDEO_TIMEOUT_MS and AIVIDEO_MAX_RETRIES). Those env vars are appropriate for a remote-API client. No unrelated credentials or broad system paths are requested. The client code does reference process.env and validates the presence of the API key.
Persistence & Privilege
The skill does not request 'always: true', does not modify other skills or system-wide configs, and contains no persistence or self-enabling behavior. It will perform outbound requests only when invoked.
Assessment
This skill appears to do what it says: call aivideomaker.ai endpoints and manage generate/status/cancel workflows. Before installing: 1) Fix the small metadata mismatches (registry listing vs SKILL.md/manifest) so the platform knows Node is required and AIVIDEO_API_KEY is the primary credential. 2) Confirm your runtime provides a Node environment with global fetch (the scripts assume a fetch API); if your Node is older (e.g., 14 or 16) you may need Node >=18 or to supply a fetch polyfill. 3) Provide a scoped/test API key first and monitor usage/quotas — the skill logs debug info and attempts to sanitize headers, but you should avoid passing your long-lived production key until tested. 4) Ensure outgoing network access to https://aivideomaker.ai is allowed and that your environment's secret storage is used for the API key. 5) If you need to be extra cautious, review network egress and runtime logs during a test run to confirm no unexpected endpoints or sensitive data are transmitted.
scripts/aivideo-client.mjs:5
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk979k23ar3k0b6874b53efdtgh83ksdc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvAIVIDEO_API_KEY

Comments