ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Media.io Text to Video API

v1.0.0

Generate high-quality AI videos from text prompts using the Media.io Text to Video API with supported top models and task progress tracking.

0· 62·0 current·0 all-time
by@wondershare-boop
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md, c_api_doc_detail.json, and scripts/skill_router.py consistently implement a Media.io text-to-video and related APIs (Credits, Task Result, Vidu Q3). The code enforces calls only to openapi.media.io, which is coherent with the stated purpose.
Instruction Scope
Runtime instructions and the Python router are narrowly scoped to calling the documented Media.io endpoints, replacing path params and posting JSON. The SKILL.md instructs use of an API_KEY only for authorization; there are no instructions to read unrelated files, system state, or to transmit data to other endpoints.
Install Mechanism
There is no install spec (instruction-only plus a small included Python script). No remote downloads or archive extraction occur at install time. Risk from installation artifacts is low.
!
Credentials
The SKILL.md and scripts require an API key (API_KEY used as X-API-KEY), which is appropriate. However, the registry metadata supplied with the skill indicates no required env vars / primary credential — an inconsistency between the published manifest and the runtime instructions/code. The skill will accept an API_KEY and use it to call openapi.media.io; requiring an API key is proportional, but the manifest mismatch and lack of declared primaryEnv in registry is a red flag that the packaging or metadata may be incomplete or incorrect.
Persistence & Privilege
The skill does not request 'always: true' or other elevated persistent privileges, and it does not modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not unusual for a skill of this type.
What to consider before installing
This package appears to be a straightforward Media.io API wrapper and will send whatever API_KEY you provide to openapi.media.io only (the router enforces that host). However: (1) the registry metadata omitted the API_KEY requirement even though SKILL.md and the code require it — that mismatch could be a packaging error or oversight; (2) the skill's publisher/source fields are unclear (no verified homepage), so verify the publisher and that openapi.media.io is the correct official endpoint before providing credentials; (3) use a least-privileged API key (e.g., scoped/test key) and monitor usage/credits because generation is billable; and (4) review the included scripts yourself if you plan to run them in a sensitive environment. If you need higher assurance, ask the publisher for an authoritative homepage or signed release, or only install from trusted sources.

Like a lobster shell, security has layers — review code before you run it.

latestvk978nq60bvdgp6g6kjxv0n0j31838yz8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments