ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Multishot UGC

v1.0.1

Generate 10 perspective/angle variations from a single image for multi-shot UGC videos. ✅ USE WHEN: - Have a hero image and need camera angle variations - Creating multi-scene UGC videos (need different shots) - Want close-ups, wide shots, side angles from one source - Building a video with scene changes ❌ DON'T USE WHEN: - Don't have a hero image yet → use morpheus-fashion-design first - Need completely different scenes/locations → use Morpheus multiple times - Just need one image → skip this step - Want to edit images manually → use nano-banana-pro INPUT: Single image (person with product) OUTPUT: 10 PNG variations with different perspectives TYPICAL PIPELINE: Morpheus → multishot-ugc → select best 4 → veed-ugc each → Remotion edit

5· 987·2 current·2 all-time
byPaul de Lavallaz@pauldelavallaz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The SKILL.md and scripts implement a multishot image-generation flow that queues a ComfyDeploy deployment and downloads outputs — this aligns with the described purpose. However the registry metadata lists no required environment variables or primary credential while the script requires a COMFY_DEPLOY_API_KEY; that metadata omission is a mismatch.
Instruction Scope
Instructions and the included script only perform actions relevant to the task: optionally upload a local image, queue a deployment, poll for completion, and download images. SKILL.md does not disclose that an API key is required (the script does), which is an important omission for runtime behavior.
Install Mechanism
No install spec is provided (instruction-only with small helper script and pyproject). There is a declared Python dependency (requests) in pyproject.toml, but nothing is automatically downloaded or executed by an install step in the registry metadata.
!
Credentials
The code requires a single environment secret (COMFY_DEPLOY_API_KEY) to call api.comfydeploy.com; that credential is proportionate to the stated purpose. The concern is that the skill metadata did not declare this required env var or a primary credential, which is a visibility/consent issue and may surprise users. No unrelated credentials are requested.
Persistence & Privilege
The skill does not request permanent 'always' presence, does not modify other skills or system-wide settings, and is user-invocable only. It runs network calls to the declared third-party API but does not attempt privilege escalation or persistent system changes.
What to consider before installing
Before installing or running this skill: - Expect to provide a COMFY_DEPLOY_API_KEY environment variable (the script will fail without it). The registry metadata failing to list this is an inconsistency you should ask the publisher to fix. - Understand that local images will be uploaded to https://api.comfydeploy.com and outputs downloaded back; do not upload sensitive or private images unless you trust ComfyDeploy and have reviewed their terms/privacy. - Verify the deployment_id and the ComfyDeploy domain independently (publisher/source is unknown and no homepage is provided). If you don't recognize the provider, request provenance or use an alternative with known trust. - Limit the API key scope if possible, store it securely, and rotate/revoke it if exposed. - If you need stronger assurance, ask the skill author to (a) declare COMFY_DEPLOY_API_KEY in the registry metadata, (b) provide a homepage or source provenance, and (c) explain data retention/processing on ComfyDeploy for uploaded images.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f3n9nmeb3hwdwae92w011xx81116v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments