ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

wanjie-openclaw-video

v2.0.0

Automatically generate Veo videos via natural language commands with background monitoring, dependency handling, and timeout recovery features.

0· 37·0 current·0 all-time
by@liangshenghzj888-stack
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description align with the actual behavior: it spawns a Python worker to call a Veo model API and write results to a file. However, the manifest/registry metadata do not declare that the skill will read the user's ~/.openclaw/openclaw.json to extract an API key — the SKILL.md mentions the file, but the skill package metadata (required env/config fields) does not. This is a proportional capability for contacting a third‑party model service, but it should be explicitly declared.
!
Instruction Scope
SKILL.md claims background monitoring every 5 minutes and deployment of a Windows Task Scheduler job; the actual code does not create any scheduled task or implement a periodic monitor loop. hooks.js simply spawns a detached Python process per trigger (so there is no built-in scheduler), and video_interface.py provides a helper that can auto-install 'requests' — but hooks.js bypasses that helper and calls veo_worker.py directly, so the promised 'automatic dependency repair' may not work in the common invocation path. The worker reads the local OpenClaw config for an API key and sends it to a remote domain; it writes logs and result files locally and opens returned URLs in the user's environment.
Install Mechanism
This is an instruction+code skill with no install spec; no arbitrary remote downloads or archive extraction are used. The code may pip-install 'requests' at runtime (video_interface.py), which is expected for a Python script that uses requests.
!
Credentials
The code reads a sensitive local configuration file (~/.openclaw/openclaw.json) to extract an API key and then uses that key as a Bearer token when contacting https://maas-openapi.wanjiedata.com. The registry manifest did not declare required env/config access; SKILL.md mentions setting the API key but the platform metadata did not mark this as a required credential. Sending your OpenClaw API key to an external service is a privacy/credential-exposure risk and should be clearly declared and consented to.
Persistence & Privilege
always:false (no forced global enable) and the skill is user-invocable. It spawns detached background processes which will persist outside the agent process lifetime; this is expected for a background worker but increases blast radius because the worker can run and make outbound network calls independently. The skill does not modify other skills or system-wide settings in the provided code, and it does not set up the promised Windows Task Scheduler entry automatically.
What to consider before installing
This skill launches a detached Python worker that reads your OpenClaw config (~/.openclaw/openclaw.json) to extract an API key and then sends requests to https://maas-openapi.wanjiedata.com. Before installing, consider: (1) Are you comfortable with your OpenClaw API key being read and used to call this external domain? The manifest did not explicitly declare that behavior. (2) The README/SKILL.md promises periodic monitoring and a Windows scheduled task, but the code does not create such a scheduler — expect only per-invocation background jobs. (3) hooks.js spawns veo_worker.py directly (it does not run the helper that auto-installs dependencies), so ensure Python and 'requests' are available or the worker may fail. (4) Because the skill spawns detached processes that can run independently and open URLs on your machine, test it in an isolated environment (or inspect/modify code) and verify the remote endpoint (wanjiedata domain) and its privacy policy before trusting your API key. If you proceed, consider editing the code to (a) require explicit user confirmation before reading/sending the API key, (b) add logging/consent for network calls, and (c) ensure dependency installation is invoked in the hook path or handled at install time.
hooks.js:11
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk972z8nab79ykrsdmk7rgb3ce184waay
37downloads
0stars
1versions
Updated 3d ago
v2.0.0
MIT-0
@liangshenghzj888-stack
latest
Download

Skill: wanjie-video-skill

作者: 何振杰

功能描述

一个高性能 Veo 视频生成技能,支持通过自然语言一键生成。现已升级为全自动守护模式。

适用场景

  • 自动化视频创作。
  • 无需命令行参数,通过自然语言对话生成视频。
  • 具备自动依赖修复、超时自愈、任务防重及全自动后台监控功能。

安装说明

  1. 使用 clawhub install wanjie-openclaw-video-v1-0-2 安装。
  2. 确保在 ~/.openclaw/openclaw.json 中配置了有效的 API Key。

使用方法

安装后,直接在聊天窗口输入:

生成视频:[您的提示词]

后台会启动定时监控(每5分钟一次),若检测到空闲,会自动处理任务并将结果通过日志文件同步。

运行机制

  • 拦截指令后,自动调用后台进程生成。
  • 具备 30 分钟任务超时强制清理机制,防止任务卡死。
  • 支持自动依赖安装(requests 库)。
  • 生成结果会自动存入 veo_result.txt,支持定时任务闭环管理。

注意事项

  • 请确保系统环境已安装 Python。
  • 本插件部署了 Windows 任务计划程序 OpenClaw_Veo_Monitor 进行自动化监控。

Comments

Loading comments...