ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

wanjie-openclaw-video

v1.0.0

Generate videos via natural language with automatic task monitoring, dependency management, timeout cleanup, and background processing for high-performance V...

0· 114·0 current·0 all-time
by@liangshenghzj888-stack

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for liangshenghzj888-stack/wanjie-openclaw-video-v1-0-1.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "wanjie-openclaw-video" (liangshenghzj888-stack/wanjie-openclaw-video-v1-0-1) from ClawHub.
Skill page: https://clawhub.ai/liangshenghzj888-stack/wanjie-openclaw-video-v1-0-1
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install wanjie-openclaw-video-v1-0-1

ClawHub CLI

Package manager switcher

npx clawhub@latest install wanjie-openclaw-video-v1-0-1
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (call a Veo model to generate video) matches the code that calls an external Veo API. However, instead of requiring the specific service key, the worker reads ~/.openclaw/openclaw.json and picks the first provider's apiKey (cfg['models']['providers'].values()[0]['apiKey']). That can cause the skill to reuse or leak an unrelated provider key (e.g., an OpenAI key) to a third-party endpoint — this access is not scoped or declared in the manifest/SKILL.md and is disproportionate to the narrowly stated purpose.
!
Instruction Scope
Runtime instructions and code run detached background processes (hooks.js spawns a detached python process; veo_worker.py and video_interface.py both launch subprocesses). The worker reads a user config file (~/.openclaw/openclaw.json), writes logs/results into the skill directory, streams data from a third-party API, extracts the first URL from the streamed content and opens it in the user's browser. It also claims to deploy a Windows scheduled task in SKILL.md though no code creates such a task. Reading arbitrary config and auto-opening URLs are beyond a minimal 'generate video' scope and raise safety concerns.
Install Mechanism
The skill has no formal install spec, but the Python helpers will auto-install the requests package at runtime (video_interface.ensure_dependencies uses pip). Runtime pip installs are moderately risky (network download, executed by the user's Python). requirements.txt lists requests, consistent with behavior.
!
Credentials
The manifest declares no required env vars or config paths, yet the code reads ~/.openclaw/openclaw.json to extract an apiKey. That key is not explicitly requested/declared and may be unrelated to the Veo service. The skill therefore has access to potentially sensitive credentials (any provider apiKey stored in that file) without declaring or limiting which key it uses.
Persistence & Privilege
The skill does not set always:true and does not modify other skills or global agent config. However, it intentionally launches detached background worker processes and creates lock/log/result files in its model/scripts directory; those processes can persist outside the immediate chat response lifetime. This persistent behavior is expected for a background worker but increases blast radius if the code mishandles credentials or opens URLs.
What to consider before installing
This skill will run a detached Python worker, auto-install the requests package if missing, read your ~/.openclaw/openclaw.json and send whatever apiKey it finds to a third-party API (https://maas-openapi.wanjiedata.com). Before installing: (1) don't use your primary provider keys — create and place a dedicated API key for this Veo service in a separate config or modify the code to read an explicit env var; (2) inspect or run the code offline to verify it uses the intended key; (3) be cautious because the worker will auto-open the first URL returned by the service in your browser; and (4) if you need stricter control, ask the author to change the code to accept a declared environment variable (e.g., WANJIE_API_KEY) instead of reading ~/.openclaw/openclaw.json and to avoid auto-opening URLs or running pip installs automatically.
hooks.js:11
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b9zs03gtj9j98x46a7ddvtn84k5zm
114downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
@liangshenghzj888-stack
latest
Download

Skill: wanjie-video-skill

作者: 何振杰

功能描述

一个高性能 Veo 视频生成技能,支持通过自然语言一键生成。现已升级为全自动守护模式。

适用场景

  • 自动化视频创作。
  • 无需命令行参数,通过自然语言对话生成视频。
  • 具备自动依赖修复、超时自愈、任务防重及全自动后台监控功能。

安装说明

  1. 使用 clawhub install wanjie-video-skill 安装。
  2. 确保在 ~/.openclaw/openclaw.json 中配置了有效的 API Key。

使用方法

安装后,直接在聊天窗口输入:

生成视频:[您的提示词]

后台会启动定时监控(每5分钟一次),若检测到空闲,会自动处理任务并将结果通过日志文件同步。

运行机制

  • 拦截指令后,自动调用后台进程生成。
  • 具备 30 分钟任务超时强制清理机制,防止任务卡死。
  • 支持自动依赖安装(requests 库)。
  • 生成结果会自动存入 veo_result.txt,支持定时任务闭环管理。

注意事项

  • 请确保系统环境已安装 Python。
  • 本插件部署了 Windows 任务计划程序 OpenClaw_Veo_Monitor 进行自动化监控。

Comments

Loading comments...