Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Runwayml
v1.0.0Generate AI videos, images, and audio with Runway API. Use when generating video from images, text-to-video, video-to-video, character performance, text-to-i...
⭐ 0· 85·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name and description (Runway video/image/audio generation) match the instructions in SKILL.md: text→video, image→video, and audio examples are provided. However, registry metadata states no required env vars or binaries, while SKILL.md explicitly requires a Runway API key (RUNWAYML_API_SECRET) and the Node.js SDK (@runwayml/sdk). This metadata omission is inconsistent with the stated purpose and usage.
Instruction Scope
SKILL.md gives concrete runtime instructions: install the Node.js SDK, create a client that reads RUNWAYML_API_SECRET, call textToVideo/imageToVideo, and examples that read local files (fs.readFileSync('product.jpg')). These file and env-var accesses are coherent with image→video functionality, but they do instruct the agent to read local files and an API secret—actions that affect local data and credentials and therefore should be declared in metadata.
Install Mechanism
There is no formal install spec in the registry (instruction-only skill). SKILL.md instructs the user/agent to run `npm install @runwayml/sdk` which is a normal dependency for Node usage but is not captured in the package metadata. Lack of an install spec means the agent or integrator may need to install dependencies at runtime; this is an operational gap rather than an immediate code-risk, but it reduces transparency.
Credentials
SKILL.md requires a single API credential (RUNWAYML_API_SECRET) which is proportional to the declared functionality. The concern is that the registry metadata did not declare this required environment variable (metadata lists none). That mismatch could lead to accidental credential exposure or failure to warn users that a secret is needed. The instructions also indicate reading local image files, which is reasonable for image→video but should be explicit in metadata/permissions.
Persistence & Privilege
The skill does not request persistent presence (always: false) and does not include install-time hooks or modifications to other skills. It is user-invocable and allows autonomous invocation (default), which is normal for skills; this alone does not raise extra privilege concerns.
What to consider before installing
This skill appears to be a straightforward Runway API integration, but the published metadata does not match the SKILL.md. Before installing or enabling it: 1) Verify the skill's source and author identity (the registry shows no homepage). 2) Expect that it will require a Runway API key (RUNWAYML_API_SECRET) and will read local image files if you request image→video—do not provide secrets to untrusted skills. 3) Prefer running in a disposable or sandboxed environment until you trust the skill. 4) Ask the publisher to update the registry metadata to declare the RUNWAYML_API_SECRET env var and any install steps (npm package) so permission and install requirements are transparent. 5) Confirm the API endpoints (dev.runwayml.com) and rate/credit costs in your Runway account before use.Like a lobster shell, security has layers — review code before you run it.
latestvk976qw269b5a3ee949m30g0e9583h69s
License
MIT-0
Free to use, modify, and redistribute. No attribution required.