ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

medeo-video

v1.5.1

AI-powered video generation skill. Use when the user wants to generate videos from text descriptions, browse video recipes, upload assets, or manage video cr...

0· 49·0 current·0 all-time
by@sunnykui
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and documentation implement AI video generation via the Medeo API (uploads, spawn-task, recipe browsing, and multi-platform delivery). Requiring a Medeo API key and platform delivery helpers (Feishu, Telegram) is coherent with the stated purpose. However, registry metadata at the top of the package listing claims no required env vars while SKILL.md and skill.json declare MEDEO_API_KEY as required — a metadata mismatch that should be reconciled.
Instruction Scope
Runtime instructions and scripts perform expected actions: check/set Medeo API key, upload files (including downloading user-provided URLs), spawn compose/render jobs, and deliver resulting videos to IM platforms. They also read OpenClaw channel credentials (e.g., Feishu appId/appSecret) from the local OpenClaw config to post notifications and deliver video. These behaviors are consistent with multi-platform delivery, but the SKILL.md includes an example that reads a hardcoded path (/home/ec2-user/.openclaw/openclaw.json) and posts a card using the channel credentials — the hardcoded path is brittle and unusual and should be reviewed.
Install Mechanism
No remote install script or arbitrary downloads are specified; the package is instruction + included Python scripts. requirements.txt only lists 'requests'. There is no extraction of remote archives or third-party installers in the manifest, which reduces install-time risk.
!
Credentials
The skill legitimately needs a Medeo API key (MEDEO_API_KEY) and will use platform-specific credentials for delivery (Feishu appId/appSecret from ~/.openclaw/openclaw.json, TELEGRAM_BOT_TOKEN for Telegram as documented). However: the top-level registry metadata omitted required env vars, the skill.json and SKILL.md declare MEDEO_API_KEY, and other channel tokens (e.g., TELEGRAM_BOT_TOKEN) are referenced in docs/scripts but not declared as required in the registry metadata. This mismatch could cause users to overlook what secrets the skill will access. Reading channel credentials from local OpenClaw config exposes those secrets to the skill (expected for delivery but important to be aware of).
Persistence & Privilege
The skill does not request 'always: true' and uses standard local storage under ~/.openclaw/workspace/medeo-video for config and job history. It does read existing OpenClaw config for channel credentials but does not appear to modify other skills or system-wide agent settings. Autonomous invocation is allowed (platform default) but not combined with an elevated 'always' flag.
What to consider before installing
This package largely does what its description promises (generate videos via the Medeo API and deliver them to IM platforms), but check a few things before installing: 1) The registry metadata omits declared env vars — the skill actually requires a MEDEO_API_KEY and may use TELEGRAM_BOT_TOKEN and local OpenClaw channel credentials for delivery. Be prepared to provide those secrets. 2) Inspect the included scripts yourself (they are present in the package) to confirm there are no unexpected network endpoints — the code talks to medeo.app, Feishu, Telegram, and downloads user-supplied URLs. 3) The SKILL.md contains a hardcoded example path (/home/ec2-user/.openclaw/openclaw.json) — verify the code will use the correct config path in your environment. 4) Because the package's source/homepage is listed as unknown, prefer installing only from a trusted repository or vendor; if you decide to proceed, restrict tokens to minimal scopes and do not store unrelated high-value credentials in the OpenClaw config. If you want, I can list the exact lines that read local config and network endpoints for quick review.

Like a lobster shell, security has layers — review code before you run it.

latestvk97300xwdhxc3stc7zse83ap6183nrws

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
Binspython3

Comments