ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

WeryAI Video Toolkits

v0.1.3

Process and edit existing videos using WeryAI video toolkits. Use when the user needs to remove video backgrounds, replace backgrounds, apply anime style tra...

0· 114·0 current·0 all-time
by@weryai-developer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and included scripts align with a WeryAI video-editing client: node CLI, many tool-specific endpoints, input validation, dry-run support, and local-file upload. However the declared required environment variables are inconsistent with the prose: SKILL.md describes WERYAI_BASE_URL as an optional override (defaults to https://api.weryai.com), but the registry metadata and top-level requirements list WERYAI_BASE_URL as required. Requiring a base URL is disproportionate for a client that normally uses the vendor's default endpoint.
Instruction Scope
SKILL.md instructs the agent to run the included node CLI and to supply WERYAI_API_KEY; it supports dry-run and uploading local files. The runtime instructions and code limit scope to WeryAI API interactions and local-file validation/upload. Notably, the code accepts a webhook_url parameter (passed through to the API) and automatically uploads local file paths to the remote API — both are legitimate for this tool but expand the data flow surface beyond simple API calls (local files will be transmitted to the remote service; webhooks could direct results to third-party endpoints).
Install Mechanism
No installer or remote downloads are used; this is an instruction-only package with all runtime code included. It requires Node.js to execute the bundled scripts. No fetch-from-arbitrary-URL installation steps were found.
!
Credentials
Primary credential WERYAI_API_KEY is appropriate and expected. However, the registry lists WERYAI_BASE_URL as a required environment variable while SKILL.md documents it as optional and defaults to the official API host. Requiring a base URL is unnecessary and could cause confusion or misconfiguration. Because the code uses the base URL for uploads and API calls, setting it to an untrusted host would redirect uploads and API traffic (including any local files) away from the official service. Also the runtime accepts a user-provided webhook_url that will be forwarded to the API — this can cause results or callbacks to be delivered to arbitrary endpoints if the user supplies them.
Persistence & Privilege
The skill does not request always:true, does not claim to persist beyond its own files, and does not modify other skills or global agent settings. Autonomous invocation remains allowed (default) but that is expected for skills. There are no special privilege escalations declared.
Scan Findings in Context
[pre-scan-injection-none] expected: No regex-based injection or suspicious code patterns were reported by the pre-scan. The package contains many vendor files but no flagged patterns.
What to consider before installing
This package largely does what it says: a Node CLI that uploads videos/images/audio and calls the WeryAI API to edit videos. Before installing or running: 1) Do not paste your WERYAI_API_KEY into files — set it in the runtime environment as instructed. 2) Confirm whether your runtime will prompt for WERYAI_BASE_URL; do not set this to an untrusted or unknown host (the code will send uploads and API calls to that URL). 3) Be aware that supplying local file paths causes the CLI to read and upload those files to the API — avoid pointing it at sensitive local files. 4) The CLI forwards any webhook_url you provide to the API; avoid passing webhook URLs you don't control or trust to prevent unexpected data exfiltration. 5) Use the provided dry-run mode to verify request shapes before spending credits or uploading real files, and consider running the tool in an isolated/short-lived environment when doing paid/risky runs. 6) If you need higher assurance, review the bundled scripts (especially the client/upload code) or run the tool behind network controls before providing secrets or local files.
scripts/vendor/weryai-core/upload.js:147
Environment variable access combined with network send.
scripts/video_toolkits.js:19
Environment variable access combined with network send.
!
scripts/vendor/weryai-core/upload.js:131
File read combined with network send (possible exfiltration).
!
scripts/video_toolkits.js:362
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9780wkyzwtzhsjh994xwps1zh83gb0t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎞️ Clawdis
Binsnode
EnvWERYAI_API_KEY, WERYAI_BASE_URL
Primary envWERYAI_API_KEY

Comments