Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
zxcvbnm-mnbvcxz
v1.0.1Executes AIVideoMaker API workflows for text-to-video and image-to-video generation, including task creation, status polling, task details retrieval, and can...
⭐ 0· 56·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The implementation (scripts/*, references/*, contract validation) clearly implements an AIVideoMaker API workflow and only requires an AIVIDEO_API_KEY and node. That capability is coherent with the described purpose. However, the published skill name (zxcvbnm-mnbvcxz) and registry metadata do not match internal filenames/_meta.json/manifest (aivideo-api-executor), and the registry version (1.0.1) differs from package version (1.0.12). These metadata mismatches are unexpected and reduce trust.
Instruction Scope
SKILL.md and the scripts restrict actions to: accept CLI payload, validate payload, and call the AIVideoMaker API endpoints (baseUrl defaults to https://aivideomaker.ai). The code reads only process.env.AIVIDEO_API_KEY and CLI args; it does not read arbitrary host files or other env vars. Logging masks headers and strips headers from log output. No evidence of data exfiltration to unexpected endpoints.
Install Mechanism
There is no installer that downloads remote code; the package includes local JS files only (low install risk). No external archives or obscure URLs are fetched during install. Note: package.json requires node but the package lists engines >=14; the code uses fetch which may require Node >=18 to work as-is—this is a runtime compatibility issue, not a direct security problem.
Credentials
The only required secret is AIVIDEO_API_KEY (declared in several places). Optional env variables (AIVIDEO_TIMEOUT_MS, AIVIDEO_MAX_RETRIES) are reasonable. One inconsistency: top-level 'Requirements' summary said 'required binaries: none' but SKILL.md and clawhub.manifest.json declare node as required. Primary credential was missing in the initial registry summary but present in manifest — small inconsistencies that should be reconciled.
Persistence & Privilege
always:false and model invocation not disabled (platform default). The skill does not request persistent system privileges, does not modify other skills, and does not require system config-path access.
What to consider before installing
This package's code implements the AIVideoMaker API and appears to only use the AIVIDEO_API_KEY to call the vendor's endpoints, which is consistent with its advertised functionality. However, before installing: 1) Verify origin — the published skill name (zxcvbnm-mnbvcxz) and registry metadata do not match internal filenames and manifest (aivideo-api-executor) and versions differ; this could be an accidental mispackaging or a sign it was republished under a different name. 2) Confirm you trust the owner/source (no homepage is provided). 3) Review the included JS files yourself (they're short and readable) or ask the publisher to explain the metadata mismatches. 4) Provide only a scoped API key, rotate it if you decide to install, and monitor usage. 5) Be aware of the Node runtime expectation (code uses fetch — ensure Node version supports global fetch or supply a compatible runtime). If you cannot verify the origin or the metadata inconsistencies are unexplained, avoid installing.scripts/aivideo-client.mjs:5
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk9760h8wkxjam5tb7d7hjnrbx583jbss
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
EnvAIVIDEO_API_KEY