ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

video-generate

v1.0.0

Generate videos using Seedance models. Invoke when user wants to create videos from text prompts, images, or reference materials.

0· 150·27 current·29 all-time
byvolcengine_skills@warm-wm
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and SKILL.md align with the stated purpose (calling a Seedance video-generation API). However the registry metadata declares no required env vars or primary credential while both SKILL.md and scripts expect an API key (ARK_API_KEY or MODEL_VIDEO_API_KEY or MODEL_AGENT_API_KEY) and optionally MODEL_VIDEO_API_BASE / MODEL_VIDEO_NAME. This metadata omission is an incoherence in the package manifest.
!
Instruction Scope
SKILL.md instructs the agent to produce local file paths and return both file and local path (example /root/.openclaw/workspace/skills/video-generate/xxx.mp4), but the included script only initiates tasks and returns URLs (it does not download videos or write files). The final-return requirements are therefore inconsistent with the implementation. SKILL.md also expects HTML/Markdown video embedding; that is fine, but the ambiguous 'URL must return in two ways' phrasing adds vagueness about required behavior.
Install Mechanism
There is no install spec (instruction-only), which reduces install risk. However the included script imports httpx (and other Python libs) yet the skill does not declare dependencies or provide an installation step — runtime failures are likely unless the environment already has these packages. No arbitrary external installers or downloads are present.
Credentials
The only sensitive inputs referenced are API keys for the video-generation service, which are appropriate for this functionality. That said, the skill metadata fails to declare these required env vars/primary credential, so a user may not realize they must supply a service API key. The script will send Authorization: Bearer <API_KEY> to an external host (API_BASE defaults to https://ark.cn-beijing.volces.com/api/v3).
Persistence & Privilege
The skill is not force-installed (always:false) and does not request system-wide configuration changes or other skills' credentials. It is a normal, on-demand skill with no elevated persistence privileges.
What to consider before installing
This skill appears to implement video-generation calls to an external Seedance API, but the package has multiple inconsistencies you should address before installing: (1) The script expects an API key (ARK_API_KEY / MODEL_VIDEO_API_KEY / MODEL_AGENT_API_KEY) and an API base URL, yet the registry metadata lists none — verify you trust the external service (ark.cn-beijing.volces.com) before providing a key. (2) The skill includes Python code that depends on third-party packages (httpx) but provides no install instructions; ensure those dependencies are installed in a safe environment. (3) SKILL.md asks the agent to return a local file path and file contents, but the script only returns remote video URLs and does not download files — clarify whether videos will be downloaded or only URLs provided. Recommended actions: inspect and test the script in a sandboxed environment, confirm the API host and its privacy/security posture, only provide API keys with least privilege and rotate them if used for testing, and ask the publisher to correct the manifest (declare required env vars and dependencies) before trusting this skill for production use.

Like a lobster shell, security has layers — review code before you run it.

latestvk974wqnbx8d6n46shqerw60t1d835ka1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments