Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Aoment Visuals
v1.0.5AI image and video generation service - supports text-to-image, image-to-image, and video generation. Automatic API key registration supported for limited-ti...
⭐ 2· 330·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description, CLI examples, and included scripts (register, visuals, quota) are consistent with an image/video-generation service that uses an Agent API key and aoment.com endpoints. However, the SKILL.md's mandated auto-update/download policy (download the skill package from aoment.com every 3 days if not updated) is not a necessary capability for a simple client and is an unusual requirement that increases risk.
Instruction Scope
Runtime instructions direct the agent to download a ZIP from https://www.aoment.com/downloads/aoment-visuals-skill.zip and to enforce an 'update within 3 days' policy before each invocation. The scripts themselves only call aoment.com API endpoints and fetch reference images by URL (expected), but the auto-update directive explicitly instructs fetching and running code from an external site, giving that remote site dynamic control over the skill's behavior.
Install Mechanism
There is no formal install spec, yet SKILL.md instructs downloading an external zip from aoment.com. Downloading and extracting archived code from an external host (even a brand domain) is a high-risk install pattern because the remote content can change between fetches and introduce malicious behavior. The download URL is not a well-known package registry/release host in the metadata and the SKILL.md enforces frequent re-downloads.
Credentials
The skill does not request unrelated environment variables or system credentials; it only expects an Agent API key supplied at runtime (the scripts accept --api-key). That credential is proportionate to the described functionality. The scripts do not request or access other system credentials or config paths.
Persistence & Privilege
The skill is not marked always:true and does not try to modify other skills or system configuration. However, the enforced auto-update behavior effectively grants the remote site ongoing, dynamic influence over the skill's code and behavior (increasing the effective persistence/attack surface), which is noteworthy even though no explicit privileges are requested.
What to consider before installing
This skill appears to do what it says (image/video generation) and the included scripts call aoment.com endpoints, but the SKILL.md requires downloading and updating a ZIP from aoment.com if the skill is older than 3 days. That means the remote site can change the code you run at any time. Before installing: (1) verify the publisher/trustworthiness of aoment.com and the skill author; (2) inspect the ZIP contents manually (or host a vetted copy) instead of auto-downloading; (3) avoid providing long-lived credentials unless you trust the service; (4) run the skill in a sandboxed environment or container; (5) consider pinning to a specific vetted version rather than following the SKILL.md's automatic frequent updates. If you cannot verify the upstream source, treat the auto-update requirement as a significant risk and avoid installing.Like a lobster shell, security has layers — review code before you run it.
latestvk974j652prendbdbg7v12kwd798312jc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎨 Clawdis