Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Global Video Title Generator
v1.0.0Global Video Title Generator - AI-powered title generation for YouTube and TikTok international. Optimized for SEO, click-through rates, and viral potential....
⭐ 0· 30·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill name/description claim 'Global Video Title Generator' but the repository contains multiple variants and broader functionality (complete video content generator, pricing/monetization, analytics, webhooks). Config files use different skill names (global-video-title-generator, global-video-content-generator, video-content-gen) and different API base URLs (api.videotitlegen.com, api.videocontentgen.com). This divergence suggests either sloppy packaging (benign) or a kit cobbled from multiple projects; it is disproportionate to the single-purpose name.
Instruction Scope
SKILL.md instructs the agent to import local Python classes and/or call provided CLI scripts and describes API endpoints and trend integration. The runtime instructions themselves do not ask to read unrelated system files or environment secrets, but they claim real-time 'trend analysis' across external sources and show API endpoints/webhooks without declaring required credentials—raising questions about whether the code will attempt network access or require secrets at runtime.
Install Mechanism
No install spec is provided (instruction-only from the registry perspective), which is lower risk. The package does include many Python source files within the skill bundle, but nothing in the manifest indicates downloads or external installers.
Credentials
The skill declares no required environment variables or primary credential, yet the code/configs support paid API usage, API keys, oauth/jwt, webhooks, and external trend sources. Expectation: paid/API features should require a credential; the registry not requesting any env vars is inconsistent and should be validated. The package does not ask for unrelated credentials, but the mismatch between advertised networked features and no declared secrets is suspicious.
Persistence & Privilege
The skill does not request 'always: true' and is user-invocable only by default. Some included scripts (publish.py) write files into the skill directory (SKILL.md, _meta.json, .clawhub/), which is normal for build/publish tools and limited to the skill's package, not system-wide settings.
What to consider before installing
This package mostly looks like a title/content generator, but there are multiple red flags you should check before installing or providing secrets: 1) Inconsistencies: several config files use different skill names and API base URLs—ask the author which one is canonical. 2) Network behavior: SKILL.md and configs mention real-time trend sources and API/webhook endpoints but the registry declares no required API keys; inspect scripts (especially scripts/main, video_content_generator*, complete_generator.py and any use of 'requests', 'urllib', 'socket', or subprocess) to see whether they perform HTTP calls or remote authentication. 3) Credentials: do not provide API keys to this skill until you confirm which endpoint they are sent to and view the call site. 4) Local file writes: publish.py and other tooling create files in the package directory—this is expected for packaging but review what they create. 5) Testing: run the code in an isolated environment (container) and audit network activity while exercising free-tier flows. If you need a quick go/no-go: treat this as untrusted until the author confirms the canonical repo/name, the intended API endpoints, and why no env vars are declared for advertised networked features.Like a lobster shell, security has layers — review code before you run it.
latestvk973t05a5r84bwnhqrfs5cd47h8411d6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.