ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Remotion Video Generator

v1.0.0

AI video production workflow using Remotion. Use when creating videos, short films, commercials, or motion graphics. Triggers on requests to make promotional...

0· 801·5 current·6 all-time
byohnednez@zendenho7
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with included files: node/npm/python3 are reasonable for Remotion + a Python scraper. The two included scripts implement the claimed behaviors. One inconsistency: the SKILL.md instructs running a Cloudflare tunnel via another skill's script (skills/cloudflare-tunnel/scripts/tunnel.sh) which is not included or declared here — referencing a separate skill/tool without declaring needed credentials or explaining the dependency is surprising.
!
Instruction Scope
Runtime instructions direct the agent to: (a) scrape arbitrary brand websites using the included scrapling.sh (which fetches and parses remote pages), (b) download assets (logo/OG images) via curl, (c) construct a screenshot request to thum.io (sending the target URL to a third-party screenshot service), and (d) expose the local dev server with a Cloudflare tunnel and share the public URL. Scraping arbitrary URLs and sending them to third parties can leak user-supplied or sensitive URLs; exposing a dev server publicly can leak project files if misconfigured. These actions are within a video-production workflow but carry privacy/exfiltration risks that the skill does not call out or require explicit authorization for.
Install Mechanism
There is no formal install spec (instruction-only), which keeps disk writes limited to when you run commands. SKILL.md recommends 'pip install scrapling' and 'npm install -g remotion' — installing packages from PyPI/NPM is expected, but the scrapling package is referenced by GitHub and may be less well-known; the instructions do not pin versions or provide provenance. No downloads from odd URLs are present in the provided files.
!
Credentials
The skill declares no required environment variables or credentials, yet its workflow instructs starting a Cloudflare tunnel via an external script (which typically requires Cloudflare credentials or configuration). That credential requirement is not declared. The scrapling script prints 'export' lines (brandName, logoUrl, etc.) but does not request secrets; however, it also causes the agent to fetch external URLs and contact thum.io, which means user-supplied URLs (and possibly metadata) are transmitted to third parties without explicit mention. This mismatch between declared credentials (none) and runtime network interactions is a concern.
Persistence & Privilege
always is false and the skill does not request persistent platform privileges. It does, however, instruct running background dev servers and exposing them via a tunnel and uses npx / npm to install/run tools; these actions create long-lived network exposure when executed. The skill does not modify other skills' configs, but it references another skill's tunnel script, which could increase its effective privilege if that other script has additional requirements.
What to consider before installing
Before installing or running this skill, consider the following: 1) The included scrapling.sh will fetch and parse any URL you pass and will send a constructed screenshot request to thum.io — this can reveal the target URL and site metadata to third parties. Avoid scraping sensitive/internal sites. 2) The workflow instructs exposing your local Remotion Studio via a Cloudflare tunnel and sharing the public URL; do not run that step for projects that contain private data, credentials, or unpublished content. 3) The SKILL.md references another skill's tunnel script but does not declare any Cloudflare credentials — check what credentials that tunnel requires and never provide secrets to a skill you don't trust. 4) The skill recommends installing the 'scrapling' Python package; verify the package source and review its code before pip installing into any production environment. 5) If you decide to run it, do so in an isolated environment (container or VM), review the scripts line-by-line, and manually run only the steps you understand (especially scraping and tunneling). If you want higher assurance, ask the author for a homepage/repository and for explicit details about the scrapling package and the tunnel script it references.

Like a lobster shell, security has layers — review code before you run it.

latestvk97afa27t0q0k91zb659v87bzd81vpww

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
Binsnode, npm, python3

Comments