ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Media.io Video to Video API

v1.0.0

Transform and restyle videos with AI using Media.io OpenAPI, applying style transfers, creative effects, and video transformations.

0· 67·0 current·0 all-time
by@wondershare-boop
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, SKILL.md, bundled API doc, and the Python router all align: they call Media.io OpenAPI endpoints (openapi.media.io) to query credits, task results, and perform a motion-control video transformation. However, the registry metadata in the provided listing says 'Required env vars: none' while SKILL.md and the code expect an API_KEY. This metadata mismatch is inconsistent and should be corrected/clarified.
Instruction Scope
SKILL.md and the implementation limit activity to the declared Media.io APIs. Instructions and code only reference the bundled c_api_doc_detail.json, the API_KEY env var, and HTTPS calls to openapi.media.io. There are no instructions to read unrelated files, external endpoints, or to exfiltrate arbitrary data.
Install Mechanism
There is no install spec (instruction-only plus a small bundled Python script and JSON). Nothing is downloaded from external or untrusted URLs and no archives are extracted. This is low risk from an installation standpoint.
Credentials
The runtime requires a single API key (X-API-KEY) which is proportional to contacting the Media.io API. However, the skill registry metadata incorrectly lists no required env vars while SKILL.md and the code require API_KEY — this inconsistency could cause confusion or accidental disclosure if users aren't warned to provide a key securely.
Persistence & Privilege
The skill is not marked always:true and does not request elevated or persistent system privileges. The code does not modify other skills or system-wide configuration. Autonomous invocation is allowed (default) but not combined with other red flags here.
What to consider before installing
This skill appears to be a straightforward adapter for Media.io's OpenAPI, but before installing: (1) confirm the skill's source and trustworthiness (the package lists no homepage and the 'source' is ambiguous), (2) be aware you must provide an API_KEY (SKILL.md and the code require it) — store and supply that key securely (do not paste it into chat), (3) verify the registry metadata is updated to declare the API_KEY requirement so you won't miss it, and (4) if you rely on this skill, consider auditing network traffic or reviewing the code yourself to confirm it only communicates with openapi.media.io and does not log or leak the API key.

Like a lobster shell, security has layers — review code before you run it.

latestvk979qcxg2nr1apc0btax9prm2s839ad9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments