Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
FlowCutPro
v1.0.0AI-powered cinematic video production using Google Veo 3 as the renderer and OpenClaw's configured LLM as the creative brain. Use when asked to create videos...
⭐ 0· 40·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (drive Google Veo 3 renders using an LLM brain and stitch with ffmpeg) matches the code: it POSTs to Google's generative endpoint and stitches with ffmpeg. However the registry declares no required environment variables while SKILL.md instructs users to set VEO_API_KEY — a clear mismatch between declared metadata and actual needs. The example and script also embed a default API key in code, which is unexpected for a production skill and not explained by the stated purpose.
Instruction Scope
SKILL.md instructs only that you provide a Veo/Gemini API key (and optionally store it in 1Password). The runtime code, besides calling Google Veo endpoints, attempts to use an Anthropic SDK (anthropic import and client.messages.create) to call a Claude model for shot planning. SKILL.md describes using 'OpenClaw's configured LLM' but does not document the need for Anthropic credentials or the Anthropic SDK — an instruction/scope mismatch. The code reads/writes local output files and invokes ffmpeg/ffprobe (expected), and it sends shot prompts and user content to external APIs (expected), but the lack of declaration for LLM credentials and the 1Password mention (not implemented in code) are inconsistent.
Install Mechanism
No install spec — this is an instruction + script skill. That is low risk from an installation perspective because nothing is downloaded or executed at install time beyond user-run scripts.
Credentials
SKILL.md and the scripts expect a VEO_API_KEY (Gemini/GaIA key) but the registry metadata lists no required env variables. Worse, both scripts include a hard-coded API key fallback (string beginning with 'AIzaSy...') embedded in the source. Hard-coded API keys are a red flag: either a leaked/test key was left in the repo, or the author used a key to simplify examples. The code also tries to use the Anthropic SDK for LLM planning but does not declare or document Anthropic/LLM credentials in the registry. The number and placement of credential-related artifacts are disproportionate and not transparent.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent platform privileges. It writes only to an output directory under the user's home and does not modify other skills or global agent settings.
What to consider before installing
Key points to consider before installing or running this skill:
- Do not assume the embedded API key is safe: both scripts include a hard-coded string that looks like a Google API key (AIzaSy...). If that key is valid and belongs to you, rotate it immediately; if it belongs to someone else it may be unauthorized or rate-limited.
- The registry metadata omits required env vars. SKILL.md instructs you to set VEO_API_KEY, but the skill's registry lists no env requirements — expect to provide at least VEO_API_KEY before use.
- The code attempts to call an Anthropic client for the LLM shot planner but SKILL.md does not document Anthropic/LLM credentials or SDK installation. Ask the author which LLM integrations are required and how credentials are supplied.
- The skill sends your prompt text and generated shot prompts to external services (Google Generative API and, possibly, Anthropic). Only run it if you are comfortable with that data leaving your machine.
- If you want to use the skill: review and remove the hard-coded API key, confirm which LLM provider is used and supply your own credentials, and test in a sandboxed environment. If you cannot get clarity from the author, treat the skill as untrusted and avoid running it with real credentials or sensitive prompts.Like a lobster shell, security has layers — review code before you run it.
latestvk97dpj0bfw3pjj5s3we1xgfqbd83vzry
License
MIT-0
Free to use, modify, and redistribute. No attribution required.