Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
image-to-video-gen
v1.0.0Generate a smooth, cinematic video from a supplied image using Gemini vision and Veo, saving all outputs with timestamp prefixes locally.
⭐ 0· 0·0 current·0 all-time
byJeff Yang@j3ffyang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill name/description (image → cinematic video using Gemini/Veo) matches the instructions which call Google Generative APIs and run a local Python script to save an MP4. Requesting a Google API key, python3, curl, date, mkdir, and the google-generativeai package is coherent with that purpose. However the registry-level metadata shown to you earlier claims no required env vars/binaries while SKILL.md declares GOOGLE_API_KEY and required bins/packages — that discrepancy is unexplained.
Instruction Scope
SKILL.md stays within the stated scope: it downloads or copies an image, asks Gemini (nano-banana) to produce a motion prompt, enhances it, writes a Python script that uploads the image and invokes a Veo generation model, and saves outputs into a dedicated workspace path. It does send the user's image and prompts to an external API (Gemini/Veo), which is expected but is a privacy/sensitivity consideration. The provided Python is pseudocode (assumes response.parts.file.data) and will need adjustment for the real API response format; the skill's instructions give the agent discretion for polling and error handling, which could be vague.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so it does not download arbitrary archives or write install-time binaries. That is lower risk from an install-mechanism perspective.
Credentials
The runtime requires GOOGLE_API_KEY (used to call google.generativeai) which is appropriate for the declared external service, but the registry summary provided to you earlier omitted this requirement. The skill will upload user images and prompts to a third-party service when run; that access to a single sensitive credential is proportionate to the task but must be explicitly declared and consented to. Also verify that no other env vars or config paths are accessed at runtime (SKILL.md only references the one).
Persistence & Privilege
The skill does not request always:true and does not attempt to modify system/global configurations. It writes outputs only to a local per-user workspace (~/.openclaw/workspace/tibetanProc/) per its guardrails; verify the agent enforces that path and that the guardrail is actually enforced at runtime.
What to consider before installing
Before installing: 1) Confirm the registry metadata mismatch — SKILL.md requires GOOGLE_API_KEY, but the registry summary showed no required env vars; do not supply credentials until this is clarified. 2) Understand that running the skill will upload your image and prompts to Google Generative APIs (privacy risk). 3) Inspect and (if possible) review the Python code that will be generated/run—the provided snippet is pseudocode and may mishandle API responses or write files unexpectedly. 4) Ensure you are comfortable with outputs being written into ~/.openclaw/workspace/tibetanProc/ and that the agent actually enforces the stated 'no outputs outside' guardrail. 5) If you decide to proceed, provide only a scoped API key (least privilege) and test with non-sensitive images first. If the publisher/source cannot be verified or the metadata mismatch is not fixed, treat the skill with caution or avoid providing credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97d9te4mscqykk3xvccppwd3d84nhm7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.