ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mediaio Image to Video API

v1.0.0

Animate static images into dynamic AI-generated videos with realistic motion using Media.io OpenAPI and an API key.

0· 67·0 current·0 all-time
by@wondershare-boop
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name, description, SKILL.md, and included Python router all align with a Media.io image-to-video API integration: the code calls endpoints under openapi.media.io and expects an API key for X-API-KEY. However the registry metadata (top-level 'Requirements') lists no required environment variables, while SKILL.md and the code require API_KEY — an inconsistency between declared registry requirements and the actual runtime needs.
Instruction Scope
SKILL.md describes only Media.io APIs (Credits, Task Result, Vidu Q3) and declares API_KEY as the only environment variable. The runtime script only reads the provided c_api_doc_detail.json and calls openapi.media.io endpoints using that API key. The instructions do not ask the agent to read unrelated files, extra env vars, or transmit data to unknown hosts; the code explicitly blocks hosts not equal to openapi.media.io.
Install Mechanism
There is no install spec (no downloads or package installs), which is low-risk. However, the bundle includes a Python script that depends on the 'requests' library but the package does not declare dependencies. Running the script may fail unless 'requests' is available or will require installing a network-capable Python package. No external or untrusted download URLs are used.
!
Credentials
At runtime the code requires an API_KEY (used as X-API-KEY) to authenticate to Media.io — this is proportionate to the function. The concern is the mismatch: registry metadata claims no required env vars while SKILL.md and the script require API_KEY, so the installer/user may be unaware they're expected to provide a secret. No other credentials or unrelated secrets are requested.
Persistence & Privilege
The skill does not request 'always: true' or any elevated persistence. It can be invoked autonomously by the agent (default), which is expected for skills; there is no code that modifies other skills or system-wide agent settings.
What to consider before installing
This skill appears to do what it says (call Media.io OpenAPI endpoints) and the script even enforces calls only to openapi.media.io. Before installing: (1) Note the registry metadata omission — you must provide an API_KEY (X-API-KEY) even though the top-level metadata lists none. Don't supply that key unless you trust the publisher. (2) The package includes a Python script that uses the 'requests' library but declares no dependencies; ensure you run it in a controlled environment (sandbox/isolated container) and that required libraries are installed. (3) The source/homepage is missing and the owner ID is not a well-known vendor — consider verifying the Media.io integration from an official source or obtaining an API key scoped for limited use. (4) If you proceed, restrict the API key's permissions and monitor activity; avoid reusing high-privilege credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk979cmfz1wkk9rbr2kejt2jrps838js9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments