ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Byted Las Video Resize

v1.0.0

Audio format conversion operator. Use this skill when user needs to: - Convert audio files between formats (wav, mp3, flac) - Change audio properties (sample...

0· 53·0 current·0 all-time
by@volcengine-skills
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The code and SKILL.md implement an audio conversion operator (las_audio_convert) that calls a remote operator API; that is coherent with the described capability. However the registry-level name/description ("Byted Las Video Resize") and the skill slug differ from the actual internal name, and the registry metadata says no required env vars while the SKILL.md and code require LAS_API_KEY. These metadata inconsistencies reduce trust and are unexplained.
Instruction Scope
SKILL.md and the CLI instruct the agent to run scripts/skill.py to POST job data to the operator endpoint and read LAS_API_KEY from the environment or an env.sh file in the current directory. The instructions do not attempt to read arbitrary system files beyond env.sh and do not reference unrelated credentials. Reading env.sh (current directory) and using the LAS_API_KEY is within the declared runtime behavior, but env.sh usage is not declared in the registry metadata.
Install Mechanism
There is no install spec (instruction-only deployment) and the package contains a single Python CLI script and documentation. No external downloads or arbitrary installs are performed by the skill package itself.
!
Credentials
The runtime requires LAS_API_KEY (read from LAS_API_KEY env var or env.sh), which is appropriate for an authenticated operator API. However the registry metadata declared no required env vars — that mismatch is problematic. No other credentials are requested, so the scope of secrets requested is narrow and proportional to the task itself.
Persistence & Privilege
always is false and the skill does not request persistent agent-wide privileges or attempt to modify other skills. It performs outbound network calls to a vendor operator domain, which is expected for this functionality.
What to consider before installing
This package's code appears to do what the documents describe (send a conversion job to operator.las.cn-beijing.volces.com and requires LAS_API_KEY). However: 1) the registry title/slug ("Byted Las Video Resize") does not match the internal skill name (las_audio_convert) — this could be sloppy or intentional mislabeling; 2) the registry metadata claims no required env vars but the code and SKILL.md require LAS_API_KEY (and will also try to read env.sh in the current directory). Before installing, verify the operator domain and owner, and confirm you trust the publisher. Do not place other secrets in env.sh in the same directory (the script will look there). Consider testing in an isolated environment, run the script with --dry-run to inspect payloads, and only provide a scoped API key (not broad credentials) that you can revoke if needed. If you need assurance, ask the publisher to correct the metadata and provide a homepage or source repository for verification.

Like a lobster shell, security has layers — review code before you run it.

latestvk97437hyc2arve7573yeyf3xj583j6pa

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments