ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

24-hour news is automatically generated into AI videos and can be published with one click, provided by the Vidu API.

v1.0.1

Automatically publish videos to Xiaohongshu, Douyin, WeChat Channels, and Kuaishou with platform-tailored titles and tags via browser automation.

0· 119·0 current·0 all-time
byVidu AI@x-jihua
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill name/description advertise a Vidu API and automated 24-hour AI video generation and one‑click publishing. The code, SKILL.md, and README do not call any 'Vidu' API, do not generate videos, and only implement browser automation to upload existing local video files. This mismatch (advertised API/auto-generation vs actual local-file publishing via Playwright) is an incoherence a user should note.
Instruction Scope
SKILL.md instructs the agent to open a browser, reuse or create login state, upload user-supplied video files, and fill titles/tags; that matches the code. It requires access to local video paths and to browser_state.json (Playwright storage state). The instructions do not ask the agent to read unrelated system secrets, but they do rely on reusing browser login state which may expose account cookies if mishandled.
!
Install Mechanism
There is no install spec despite the code importing and using Playwright (playwright.async_api) and expecting a browser runtime. Required dependencies (python-playwright, and browser binaries) are not declared. That omission is disproportionate: users will need to install Playwright and browsers manually; an install step should be provided and audited.
Credentials
The skill declares no environment variables or credentials (which is consistent with browser-based automation). However, it will access local files (the user-supplied video path) and a storage_state file (browser_state.json) containing browser authentication state — access to those should be considered sensitive. No unrelated credentials are requested.
Persistence & Privilege
always:false and model invocation are default. The skill does not request permanent platform-wide privileges. It does read/use (and may write, depending on Playwright behavior) browser_state.json to persist login sessions; that is normal for browser automation but worth noting.
What to consider before installing
Key points before installing: - The skill advertises 'Vidu API' and automated AI video generation but the code only automates a browser to upload existing local videos; if you expected an API-based or auto-generation pipeline, this skill does not provide it. Ask the author for clarification or an updated README. - The package uses Playwright but provides no install instructions or dependency declarations; you will need to install python-playwright and browser binaries yourself. Prefer running this in an isolated environment or VM to limit risk. - The scripts will access local video files you provide and reuse browser_state.json (cookies/auth). Do not point it at videos or browser state from accounts with sensitive access. Inspect browser_state.json contents before reuse and avoid sharing it. - The tool requires you to be logged into target platforms (it may prompt for manual login). Be aware of platform terms of service and content-moderation risk when publishing sensitive material (e.g., political/military news). - If you want to proceed, request from the publisher: (1) a clear install spec (requirements.txt or install script), (2) confirmation whether any external Vidu API exists and its endpoint/auth, and (3) assurance about how browser_state.json is used/saved. If those are not provided, treat the package as untrusted and run only in an isolated test environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk974wg5t8gany5h1w2nqk48yf1839kk4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments