ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

wanjie-openclaw-video

v2.0.0

高性能 Veo 视频生成技能,支持自然语言一键生成及后台自动依赖修复、超时自愈与任务监控。

0· 61·0 current·0 all-time
by@liangshenghzj888-stack

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for liangshenghzj888-stack/wanjie-openclaw-video-v2-0-1.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "wanjie-openclaw-video" (liangshenghzj888-stack/wanjie-openclaw-video-v2-0-1) from ClawHub.
Skill page: https://clawhub.ai/liangshenghzj888-stack/wanjie-openclaw-video-v2-0-1
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install wanjie-openclaw-video-v2-0-1

ClawHub CLI

Package manager switcher

npx clawhub@latest install wanjie-openclaw-video-v2-0-1
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and SKILL.md align with a video-generation skill that calls an external Veo API (maas-openapi.wanjiedata.com). Requiring Python and the requests library is consistent. However, the skill reads the user's ~/.openclaw/openclaw.json to obtain an API key (via _read_api_key_from_openclaw) but the package metadata did not declare any required config path or primary credential; the SKILL.md mentions the openclaw.json requirement only in prose. This omission is a transparency/consent issue even if functionally coherent.
!
Instruction Scope
SKILL.md claims background timed monitoring and Windows scheduled task deployment; the provided code spawns detached worker processes on message and implements a lock/timeout mechanism, but there is no installer or code that actually registers a Windows scheduled task or a 5-minute monitor loop. The worker reads the local OpenClaw config, writes logs and result files to model/scripts/, and will automatically open any URL extracted from the API response in the user's browser. Auto-opening arbitrary returned URLs and reading local config are broader-than-expected actions that should be explicitly disclosed and consented to.
Install Mechanism
There is no external install spec (instruction-only), so nothing is downloaded during install. However, at runtime video_interface.py will pip-install the requests package if missing (subprocess.check_call to pip). Runtime package installation modifies the Python environment and can have side effects; although common, it is an active change and should be considered by the user.
!
Credentials
No environment variables are requested, but the code reads a sensitive credential: it loads the OpenClaw API key from ~/.openclaw/openclaw.json and uses it to authenticate requests to the remote Veo service. That access is functionally explainable (the skill needs an API key), but the manifest did not declare this required config or mark the credential as a primary secret. Also, the skill logs a fingerprint of the key (first/last chars) but still reads the full key from disk — storing or transmitting that key is privacy-sensitive.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It starts detached background Python processes (hooks.js spawns python detached; video_interface.py spawns workers detached), creates lock/log/result files in its directory, and may persist processes outside the controlling agent. Autonomous invocation (default) plus detached background tasks increases the blast radius if the skill behaves unexpectedly, but these behaviors are consistent with a background-generation skill.
What to consider before installing
Key points to consider before installing: - This skill will read your OpenClaw API key from ~/.openclaw/openclaw.json. If you are not comfortable granting a skill access to that file, do not install it. The manifest does not declare this requirement explicitly. - At runtime it may pip-install the requests package into your Python environment; run it inside a virtualenv or isolated environment if you want to avoid changing system packages. - The skill launches detached background Python processes and writes veo_log.txt, veo.lock, and veo_result.txt into its scripts folder. These processes persist outside the chat session; verify and monitor them if you install the skill. - The worker will automatically open any URL returned by the remote API in your default browser. A malicious or compromised backend could return an unsafe URL — only use if you trust the remote service (maas-openapi.wanjiedata.com). - The SKILL.md mentions additional monitoring/scheduling behavior (Windows task), but the code does not implement automatic task registration; behavior described in docs and actual code differ. Recommendations: 1) Inspect the included Python files (veo_worker.py, video_interface.py) yourself (they are present) and run them in a controlled environment first. 2) Use a throwaway/limited OpenClaw API key or run on a machine without sensitive credentials if you want to test. 3) If you decide to install, run the skill inside a Python virtualenv and monitor processes/files it creates. If you need the skill but want stricter behavior, ask the author to declare the config requirement in the manifest and to make URL-opening and auto pip-installation opt-in.
hooks.js:11
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk977pepnknmn01yapx0dt0acc184xe2w
61downloads
0stars
1versions
Updated 1w ago
v2.0.0
MIT-0
@liangshenghzj888-stack
latest
Download

Skill: wanjie-video-skill

作者: 何振杰

功能描述

一个高性能 Veo 视频生成技能,支持通过自然语言一键生成。现已升级为全自动守护模式。

适用场景

  • 自动化视频创作。
  • 无需命令行参数,通过自然语言对话生成视频。
  • 具备自动依赖修复、超时自愈、任务防重及全自动后台监控功能。

安装说明

  1. 使用 clawhub install wanjie-openclaw-video-v2-0-1 安装。
  2. 确保在 ~/.openclaw/openclaw.json 中配置了有效的 API Key。

使用方法

安装后,直接在聊天窗口输入:

生成视频:[您的提示词]

后台会启动定时监控(每5分钟一次),若检测到空闲,会自动处理任务并将结果通过日志文件同步。

运行机制

  • 拦截指令后,自动调用后台进程生成。
  • 具备 30 分钟任务超时强制清理机制,防止任务卡死。
  • 支持自动依赖安装(requests 库)。
  • 生成结果会自动存入 veo_result.txt,支持定时任务闭环管理。

注意事项

  • 请确保系统环境已安装 Python。
  • 本插件部署了 Windows 任务计划程序 OpenClaw_Veo_Monitor 进行自动化监控。

Comments

Loading comments...