Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Tencent VOD
v1.0.5腾讯云 VOD(云点播)操作命令生成专用助手。只要用户的请求涉及 VOD 的任何具体操作,必须触发此 Skill,包括但不限于:【上传】本地视频/音频/图片上传、URL拉取上传到VOD、设置过期时间/SessionId去重/存储路径/按应用名上传;【媒体处理】转码/极速高清/截图/雪碧图/视频增强/真人增强/漫剧...
⭐ 0· 43·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md and the Python scripts clearly require Tencent Cloud credentials (TENCENTCLOUD_SECRET_ID and TENCENTCLOUD_SECRET_KEY) and optional VOD AIGC token/sub-app id, which are appropriate for a VOD helper. However the registry metadata lists no required environment variables or config paths — a direct mismatch. The code base (many scripts) matches the described VOD functionality, so the capability is real, but the skill bundle metadata understates the credentials/config access it needs.
Instruction Scope
Runtime instructions and the included vod_load_env.py direct the agent to scan and load environment variables from system files (/etc/environment, /etc/profile, ~/.bashrc, ~/.profile, ~/.bash_profile, ~/.env). Loading is conditional (file must contain a target key) but when triggered the code loads all KEY=VALUE pairs from that file into the process environment. This goes beyond simply asking for an API key and includes reading user/system config files — a scope expansion that should be explicit in metadata and accepted by the user.
Install Mechanism
There is no external install script or network download; the skill is instruction + bundled Python scripts that rely on the public 'tencentcloud-sdk-python' and 'requests' packages. No URLs, shorteners, or remote code downloads were found in the provided files. Because code files are bundled but no install spec is declared, users or platforms must ensure the Python deps are installed before running scripts.
Credentials
Requesting Tencent Cloud SecretId/SecretKey is proportionate for a VOD integration. But the skill's manifest did not declare these env-vars as required while SKILL.md and the scripts do — an inconsistency. Additionally, vod_load_env.py will load all KEY=VALUE lines from any config file it deems relevant if a target variable is present, potentially pulling unrelated secrets into the process environment. That behaviour increases the risk surface and should be explicitly disclosed.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills or system-wide agent configuration. The vod_load_env tool loads variables into the current process only (not persistently writing back), and scripts make API calls via the Tencent Cloud SDK — no evidence of persistent background agents or forced inclusion.
What to consider before installing
This package implements real Tencent VOD operations and needs your Tencent SecretId/SecretKey and optionally an AIGC token or sub-app id. However: (1) the registry metadata did not declare these required env vars even though SKILL.md and the scripts need them—that's a red flag for transparency; (2) the included vod_load_env.py will scan and load KEY=VALUE lines from several system files (e.g. /etc/profile, ~/.bashrc) if it finds a target variable there, which could import other secrets into the process environment. Before installing or running: - Only use in an isolated environment or container you control. - Prefer to supply least-privilege or temporary Tencent credentials (short-lived keys) rather than full long-lived keys. - Review the code (vod_load_env.py and scripts) yourself or have a trusted admin do so; consider removing or restricting automatic env-file loading. - Verify that you trust the source (owner/publishing metadata unknown here). If you are uncomfortable, do not provide your real SecretId/SecretKey and do not run the env auto-loader.Like a lobster shell, security has layers — review code before you run it.
latestvk97a5pqkc2ssaqkk9hb83k35xh84vbcn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.