Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
VEED UGC
v1.0.1Generate UGC-style promotional videos with AI lip-sync. Takes an image (person with product from Morpheus/Ad-Ready) and a script (pure dialogue), creates a video of the person speaking. Uses ElevenLabs for voice synthesis.
⭐ 5· 1k·3 current·3 all-time
byPaul de Lavallaz@pauldelavallaz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name and description (generate UGC videos with lip-sync/TTS) match the code and SKILL.md: the script uploads an image, queues a run at ComfyDeploy, polls, and downloads the result. Mentioning ElevenLabs is reasonable because a voice_id is used, but ElevenLabs credentials are not required by the bundled code (ComfyDeploy is the service actually contacted).
Instruction Scope
SKILL.md and the included script instruct the agent to upload user-supplied images and script text to https://api.comfydeploy.com and to include an Authorization Bearer API key. The code also prints debug info and the first 500 characters of API responses to stdout, which can leak sensitive data (including tokens or returned URLs). The skill will transmit user images and text to an external service — this is expected for the stated purpose but is a privacy/data-exfiltration consideration that must be explicit to users.
Install Mechanism
There is no install spec (instruction-only plus an included Python script). Nothing is downloaded from arbitrary URLs and no install-time code execution is requested. Risk from install mechanism is low.
Credentials
The skill manifest declares no required env vars, but the script requires a COMFY_DEPLOY_API_KEY either via --api-key or environment (COMFY_DEPLOY_API_KEY). That mismatch is incoherent and could confuse users. No ElevenLabs secret is requested (because ComfyDeploy handles TTS), which is plausible, but the SKILL.md's voice/ElevenLabs messaging could mislead users into thinking an ElevenLabs key is required. The script's debug printing of response bodies can expose credentials or other sensitive return values to logs.
Persistence & Privilege
The skill is not always-enabled and does not request persistence or modify other skill/system settings. It runs on-demand and does not escalate privileges.
What to consider before installing
Before installing or running this skill, note that: (1) the included Python script will upload any image and the script text you provide to https://api.comfydeploy.com — do not upload images of real people without explicit consent; (2) the script requires a ComfyDeploy API key (COMFY_DEPLOY_API_KEY or --api-key) even though the skill metadata does not list that requirement — this mismatch is suspicious and you should provide a key with minimal privileges; (3) the script prints API responses (first 500 chars) to stdout which can leak sensitive info to logs — review or remove these debug prints if you care about secrecy; (4) ElevenLabs is referenced only for voice IDs; no ElevenLabs credential is included, because TTS is performed by the ComfyDeploy workflow — verify this behavior with the service owner; (5) the source/homepage is unknown: prefer packages with a verifiable source or inspect the code thoroughly and run in an isolated environment. If you are unsure, do not use with real users' images or private scripts until you confirm the service/policy and fix the manifest mismatch (declare the COMFY_DEPLOY_API_KEY requirement).Like a lobster shell, security has layers — review code before you run it.
latestvk975e6rs6wjjh8knjdwvs9dtgs8106y7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.