ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Visla AI Video Creation

v1.0.3

Creates AI-generated videos from text scripts, URLs, or PPT/PDF documents using Visla. Use when the user asks to generate a video, turn a webpage into a vide...

0· 2k·0 current·0 all-time
by@visla-admin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is a Visla API CLI wrapper for creating videos. The only required environment variables are VISLA_API_KEY and VISLA_API_SECRET, which are exactly what an API client needs. The included files (Bash and Python CLIs under scripts/) match the described functionality and the API base URL (openapi.visla.us) matches the Visla purpose.
Instruction Scope
SKILL.md confines actions to creating videos from user-provided scripts/URLs/docs and checking account balance. It explicitly instructs the agent to request user consent before reading ~/.config/visla/.credentials and to avoid printing secrets. The CLIs will validate and fetch user-provided URLs (making network requests) and will upload documents via pre-signed S3 URLs as part of normal operation — this means the agent will make outbound network calls to Visla and to any URLs the user supplies, which is expected but worth noting to non-technical users.
Install Mechanism
There is no remote install or download spec; the skill is instruction-only with bundled scripts. No external archives or shorteners are fetched at install time. Runtime dependencies (curl, openssl, jq, python requests) are standard and checked at runtime.
Credentials
The skill only requests VISLA_API_KEY and VISLA_API_SECRET (VISLA_API_KEY marked primary), appropriate for contacting the Visla API. The SKILL.md documents using a local credentials file only with user consent. There are no unrelated or excessive environment variables or config paths requested.
Persistence & Privilege
The skill is not always-enabled and does not ask to modify other skills or system-wide settings. It does not request permanent presence or elevated privileges beyond normal agent invocation.
Assessment
This skill appears to do what it says: it runs local CLI wrappers that call Visla's API and upload user-supplied files. Before using it: (1) Only provide your Visla API key/secret if you trust the Visla service and this skill's source; (2) Grant explicit permission if the agent asks to read ~/.config/visla/.credentials — otherwise supply credentials yourself via environment variables or the CLI flag; (3) Be aware that providing a URL causes the agent to make outbound HTTP requests to validate and fetch that page, and uploading documents will use pre-signed S3 URLs returned by Visla; (4) If you don't trust the skill author, review the bundled scripts (they are included) or run them in a restricted environment. Overall there are no red flags, but treat API keys and uploaded documents as sensitive and only share when comfortable.

Like a lobster shell, security has layers — review code before you run it.

latestvk9744xrj8gwt52peq0qmmr6vqn81fepe

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvVISLA_API_KEY, VISLA_API_SECRET
Primary envVISLA_API_KEY

Comments