Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
基于需求描述智能生成脚本和视频,让你的每个营销视频都出彩。适用于用户希望“把这个需求直接生成视频”时,通过API自动生成结果而非人工撰写。
v1.0.2营销视频生成服务,通过小念AI的视频模块快速生成营销视频:当用户说"快速生成视频/生成一个视频/做个视频/把这个需求直接生成视频"并希望通过小念AI生成结果而不是手动编写时使用。
⭐ 5· 217·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code and SKILL.md align with the declared purpose (generate script → create task → poll state on xiaonian.cc). Requiring an auth token or login to call the dashboard API is coherent with the video-generation purpose. However, the registry metadata claims no required env vars/credentials while the code expects DASHBOARD_TOKEN or DASHBOARD_PHONE+DASHBOARD_PASSWORD (and a DEFAULT_TOKEN fallback). That metadata omission is inconsistent.
Instruction Scope
SKILL.md instructs the agent to run the included Python script and documents the API endpoints. But SKILL.md glosses over auth by saying 'built-in token, no configuration needed' while failing to document the environment variables the script actually reads. The runtime code reads environment variables and can download the resulting video to a local path; it does not otherwise read arbitrary system files. The undocumented env var usage is scope creep in the documentation/metadata.
Install Mechanism
No install spec or third-party downloads are present; the skill is instruction-only plus a local Python script. Nothing writes arbitrary code to disk beyond the included files.
Credentials
The script legitimately needs a bearer token to call the API, so requesting credentials is proportionate to the task. However: (1) the registry metadata lists no required env vars while the code depends on DASHBOARD_TOKEN, DASHBOARD_PHONE, DASHBOARD_PASSWORD, and DASHBOARD_BASE_URL; (2) there is a hard-coded DEFAULT_TOKEN string in the code. A default embedded token can be a security risk if it is a valid credential — it could allow the skill to act with whoever owns that token, and its presence without explanation is suspicious.
Persistence & Privilege
The skill is not marked always:true, does not request system-level persistence, and does not modify other skills or global configuration. Standard autonomous invocation remains enabled (expected).
What to consider before installing
This skill implements the claimed video-generation workflow but contains two red flags you should consider before installing or using it:
1) Hard-coded token: The Python script includes a DEFAULT_TOKEN value. If that token is valid, the skill will operate using that account without you providing credentials. Ask the author what that token is for, and never rely on an unexplained embedded credential. Prefer a version that requires you to supply your own token via an environment variable.
2) Undeclared environment variables: The registry metadata declares no required env vars, but the code reads DASHBOARD_TOKEN, DASHBOARD_PHONE, DASHBOARD_PASSWORD, and DASHBOARD_BASE_URL. Treat these as sensitive. Do not provide personal credentials until you verify the service and token scope.
Practical steps:
- Ask the publisher to (a) remove the embedded DEFAULT_TOKEN or explain/rotate it, and (b) update the skill metadata and SKILL.md to clearly list required env vars and what each does.
- If you must test it, run in a sandbox environment and do not supply real account credentials; create a dedicated test account with limited permissions.
- Inspect network traffic or logs during a test to confirm calls only go to the documented xiaonian.cc endpoints.
If the author can justify and remove the hard-coded token and correct the metadata/documentation, the skill becomes much less suspicious. Currently, the mismatch and embedded credential justify caution.Like a lobster shell, security has layers — review code before you run it.
latestvk973fbsn20xthfb55pwmzck4t9835dzq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.