ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Media.io Wan Video Generator

v1.0.0

Generate 1080p AI videos via Media.io Wan (v2.6) using text, images, or reference videos through the Media.io OpenAPI.

0· 57·0 current·0 all-time
by@wondershare-boop
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name, description, SKILL.md, _meta.json, and included c_api_doc_detail.json all describe a Media.io Wan video generator and the code implements calls to media.io endpoints — this is coherent. However the registry summary at the top of the submission claims 'Required env vars: none' while the skill files (SKILL.md and _meta.json) require an API_KEY. That metadata mismatch is a coherence problem (likely an oversight) and should be corrected.
Instruction Scope
SKILL.md instructs only how to call Media.io APIs and the runtime code (scripts/skill_router.py) only reads API_KEY from env or argument and performs HTTPS requests to the documented endpoints. There are no instructions to read unrelated files, system state, or to transmit data to third parties beyond the Media.io API host.
Install Mechanism
There is no install spec (instruction-only), which lowers disk-write risk. However the bundled code imports the Python 'requests' library but no dependency manifest declares it. That is an inconsistency: the runtime environment must provide 'requests' or the code will fail. No external download URLs or archives are used.
Credentials
The only runtime secret accessed is API_KEY (used as X-API-KEY) which is appropriate for the described Media.io integration. Again, the registry-level metadata omitted this required env var while SKILL.md and _meta.json include it — this mismatch should be fixed. No other credentials or secrets are requested.
Persistence & Privilege
The skill does not request persistent/system privileges, does not set always:true, and does not modify other skills' configurations. It runs network requests only to a single allowed host as enforced by the code.
What to consider before installing
This skill appears to implement what it claims (a Media.io Wan video generator) and the code restricts calls to openapi.media.io, but there are a few things to verify before installing: 1) The registry metadata omitted the required API_KEY—make sure you will only provide a Media.io API key and understand its permissions and billing implications. 2) The Python code uses the 'requests' package but no dependency is declared; run it in an environment that has requests installed or add a dependency declaration. 3) Inspect c_api_doc_detail.json to confirm the endpoints are the official openapi.media.io URLs you expect (the router enforces host == 'openapi.media.io'). 4) Prefer running in an isolated environment (sandbox/VM) first and avoid sharing any high-privilege or long-lived API keys. If you want this skill installed, ask the publisher to fix the registry metadata to list API_KEY as required and to declare the 'requests' dependency so the package metadata and runtime behavior match.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fb6z7td456w2fbwqakbsr49838kwd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments