ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Byted Las Video Inpaint

v1.0.0

Video inpainting operator (las_video_inpaint) for removing watermarks/subtitles/logos from videos. Use this skill when user needs to: - Remove watermarks, su...

0· 76·0 current·0 all-time
by@volcengine-skills
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and SKILL.md align with the described purpose: they call operator.las.<region>.volces.com submit/poll endpoints to run a video inpaint operator and require an API key. However the registry metadata claims no required env vars or primary credential while both SKILL.md and scripts/skill.py clearly require LAS_API_KEY (and optional LAS_REGION/REGION/region). This metadata omission is an inconsistency.
!
Instruction Scope
SKILL.md instructs using public/intranet/TOS URLs, but the script explicitly forbids resolving to private/intranet IPs (it DNS-resolves hostnames and rejects private IP ranges). That contradicts the 'intranet URL' claim. The script also reads LAS_API_KEY from env or an env.sh file in the current directory—expected for an API-key-based operator—but SKILL.md and runtime behavior differ on intranet access.
Install Mechanism
There is no install spec (instruction-only + a local helper script). Nothing is downloaded or written by an installer; the provided script uses standard libraries and requests. This is the lower-risk model for install mechanism.
!
Credentials
The runtime requires LAS_API_KEY and optionally LAS_REGION/REGION/region as environment inputs; these are proportional to contacting the remote operator. But the registry metadata lists no required env variables, which is inconsistent and could mislead users into installing without providing the API key or knowing what will be accessed. The script also reads a local env.sh for the key, which is reasonable but should be documented in metadata.
Persistence & Privilege
The skill is not marked always:true and does not request any persistent system-wide privileges. It does not modify other skills or agent configs. Autonomous invocation is allowed by platform default (disable-model-invocation is false), which is normal.
What to consider before installing
This skill's code matches its stated function (submitting and polling a remote video inpaint operator) but there are a few inconsistencies you should resolve before installing: (1) SKILL.md and scripts/skill.py require LAS_API_KEY (and optionally region env vars) but the registry metadata lists no required env vars — treat LAS_API_KEY as mandatory and only provide a key with appropriate, limited permissions. (2) The README claims 'intranet URL' support, but the script blocks private/intranet IPs by DNS resolution — do not rely on intranet access unless the developer confirms behavior. (3) Inspect and verify the LAS API endpoint (operator.las.cn-*.volces.com) is the legitimate service you expect and that the API key will be used only for this operator. (4) You can test calls locally using the script's dry-run mode and the provided submit/poll flow before giving any long-lived credentials to an agent. If the publisher/registry metadata is corrected to declare LAS_API_KEY and the intranet claim is clarified (or removed), the skill would be coherent; until then treat it with caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cc142qqd5f7j3241w93qs8983jbad

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments