Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Shortvideo
v0.1.1Create videos using ShortVideo API. Supports product-to-video, image-to-ad-video, and replicate-video. Use this skill when users want to: generate product vi...
⭐ 1· 198·0 current·0 all-time
by@thecur
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (create videos via ShortVideo API) matches the scripts and endpoints in the repository: uploads to /api/oss/upload and creates tasks /api/task/create. Requiring a SHORTVIDEO_BASE_URL and SHORTVIDEO_API_KEY is coherent with the stated purpose — however the registry metadata declares no required environment variables or primary credential, which is inconsistent with the actual runtime requirements.
Instruction Scope
Runtime instructions and scripts will (a) read environment variables for the API host/key, (b) download arbitrary HTTP(S) URLs to temp files and upload them to the service, and (c) upload any local file paths provided as arguments. The SKILL.md and examples recommend running commands prefixed with 'source ~/.zshrc && ...', which causes the shell RC to be sourced and can pull many unrelated environment variables into the process. These behaviors are within the functionality scope but increase risk of unintentionally exposing other secrets or uploading sensitive local files if the agent or user supplies unsafe paths or blindly sources shell RC.
Install Mechanism
No install spec; this is an instruction+script bundle. Dependencies are minimal (requests). There are no remote install downloads or archive extracts. This is low-risk from an installer perspective.
Credentials
The only env vars the code actually uses are SHORTVIDEO_BASE_URL and SHORTVIDEO_API_KEY — these are proportionate to contacting the ShortVideo service. The problem is that the skill metadata declared no required envs/credential; the SKILL.md asks users to store the API key in ~/.claude or ~/.openclaw config or in shell RC, which can persist a secret in a config file. No other unrelated secrets or service credentials are requested.
Persistence & Privilege
The skill is not force-installed (always: false) and does not request special platform privileges. It does not attempt to modify other skills or global settings. Autonomous invocation is allowed (platform default) but that alone is not flagged.
What to consider before installing
This package appears to implement a legitimate ShortVideo API client, but take these precautions before installing or using it: 1) The skill actually requires SHORTVIDEO_BASE_URL and SHORTVIDEO_API_KEY even though the registry metadata didn't list them — do not provide secrets unless you trust the ShortVideo service and this code. 2) The scripts will upload any local file paths you pass and will download arbitrary URLs and then upload them — avoid passing sensitive local files (private documents, SSH keys, etc.). 3) Avoid blindly following the examples that prefix commands with 'source ~/.zshrc && ...' — sourcing your shell RC can expose unrelated environment variables and secrets to the process; instead set only the SHORTVIDEO_* vars in a dedicated env file or export them manually in the same shell session. 4) Inspect scripts (impl.py and the task scripts) yourself to confirm no unexpected endpoints or hard-coded hosts; confirm SHORTVIDEO_BASE_URL points to the official service you intend to use. 5) If you want lower risk, run the scripts in an isolated environment (container, VM) and use a short-lived API key or restricted service account. If you need me to, I can point out the exact lines in the scripts that do uploads, downloads, and source recommendations.Like a lobster shell, security has layers — review code before you run it.
latestvk975xnqx1zncsvbjxzn3yjzzn182vh4n
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis