Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Alibabacloud Video Editor
v0.0.1Video editing tool that requires no ffmpeg installation. All video processing is executed in the cloud - no local ffmpeg installation needed. If both input a...
⭐ 0· 31·0 current·0 all-time
byalibabacloud-skills-team@sdk-team
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (cloud-based video editing via Alibaba Cloud ICE and OSS) matches the included references and the script, so needing Alibaba Cloud credentials and OSS access is coherent. However, the registry metadata declares no required environment variables or config paths, while the SKILL.md and script explicitly require Alibaba Cloud credentials and optionally OSS_BUCKET/OSS_ENDPOINT — a metadata/instruction mismatch.
Instruction Scope
SKILL.md instructs the agent to obtain credentials via the Alibaba Cloud default credential chain (env vars, ~/.alibabacloud/credentials.ini, or ECS RAM role) and to upload local files to OSS (or list buckets). Those are legitimate for the task but are not declared in the skill metadata. The instructions also tell the user to 'pip install -r requirements.txt' but there is no requirements.txt in the file manifest, so dependency installation guidance is incomplete and could lead to ad-hoc installs. The skill will read local credential files and may upload local media to a cloud bucket — users should expect cloud access and potential transfer of local files.
Install Mechanism
There is no formal install spec (instruction-only), which limits automatic disk changes. However, SKILL.md recommends running 'pip install -r requirements.txt' even though no requirements.txt is included in the package. The script imports Alibaba Cloud SDK packages; installing dependencies would pull third-party packages from PyPI, so users should inspect and pin those dependencies before installing.
Credentials
The skill requires access to Alibaba Cloud credentials and may use OSS_BUCKET and OSS_ENDPOINT environment variables (documented in SKILL.md and the ram-policies.md describes required RAM permissions). The registry metadata does not declare any required env vars or config paths, creating an omission. Requesting cloud credentials and OSS access is proportionate to the stated cloud editing purpose, but the lack of declared requirements is a coherence risk — users need to be aware they must provide credentials and potentially grant ICE/OSS permissions.
Persistence & Privilege
The skill is not always-enabled, does not request system-wide persistence, and does not modify other skills. It uses the platform's normal credential chain and performs remote API calls; autonomous invocation is allowed by default but is not combined with 'always: true' or other elevated privileges.
What to consider before installing
This skill genuinely integrates with Alibaba Cloud ICE/OSS and will need your Alibaba Cloud credentials (environment variables, ~/.alibabacloud/credentials.ini, or an ECS RAM role) and may upload local files to OSS. Before installing or running: 1) Understand you are granting it ability to list/upload objects and submit ICE jobs — follow the included ram-policies.md and consider creating a least-privilege RAM user with only the ICE and OSS actions you need. 2) There is no requirements.txt in the package but the script imports Alibaba Cloud SDKs — inspect and pin Python dependencies before running pip install to avoid pulling unexpected packages. 3) Confirm the output bucket and paths (MediaURL) to ensure results go to a bucket you control. 4) If you have sensitive local files, be cautious: uploading media to OSS will transmit their contents to Alibaba Cloud. 5) The registry metadata omits environment/config declarations; treat that omission as a red flag and verify credentials and env vars manually before use.Like a lobster shell, security has layers — review code before you run it.
latestvk975131syxxhsykksy8qhpsyes843w37
License
MIT-0
Free to use, modify, and redistribute. No attribution required.