Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
wanjie-openclaw-video
v1.0.0Generates Veo videos via natural language commands with automatic dependency repair, timeout handling, and background task monitoring.
⭐ 0· 10·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description, SKILL.md, and code all align around using a Veo model service to generate videos. The code posts prompts to a wanjiedata API and stores results in veo_result.txt, which matches the stated purpose.
Instruction Scope
Runtime instructions and code read ~/.openclaw/openclaw.json to extract an API key and send the user's prompt to an external endpoint. The worker also parses responses and automatically opens the first URL it finds in the user's browser. These actions go beyond simple local processing and involve reading local config and launching external network requests and browser windows.
Install Mechanism
No formal install spec is provided (instruction-only), which minimizes installer risk. However the included Python helper will attempt to pip-install 'requests' at runtime if missing, and hooks spawn detached Python processes — both behaviors cause code execution and network access at runtime.
Credentials
The skill requests no environment variables but expects and reads the user's ~/.openclaw/openclaw.json to obtain an API key. That file may contain sensitive credentials; the skill extracts the first provider apiKey without explicit scoping. Using local credentials to call an external service is plausible for this feature, but the access to local config is sensitive and not declared in the metadata.
Persistence & Privilege
always is false and model invocation is allowed (normal). The skill launches detached background worker processes that persist after the invoking message. SKILL.md mentions a Windows scheduled task, but no code creates such a task. Background processes and persistent monitoring are expected for a 'daemon' style skill, but they increase blast radius and should be considered before use.
What to consider before installing
This skill appears to implement a legitimate video-generation flow, but exercise caution before installing: it will read your ~/.openclaw/openclaw.json to obtain an API key and send your prompts to https://maas-openapi.wanjiedata.com, it may auto-install Python packages at runtime, spawn detached background Python processes, and automatically open any URL returned by the service. Because the skill's source and homepage are unknown, consider these precautions: inspect the code yourself (or have someone you trust review it); run it in a sandbox or on a throwaway account/API key; back up and review ~/.openclaw/openclaw.json contents; or avoid installing if you cannot trust the publisher. The discrepancy (SKILL.md claims a Windows scheduled task but no code creates one) and the automatic opening of external URLs are the main risk signals.hooks.js:11
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97659fge7b3phejr4c961y8xd84jdty
License
MIT-0
Free to use, modify, and redistribute. No attribution required.