Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Tellers
v1.0.2Create, edit, and share AI-generated videos using tellers.ai — an AI video platform that aggregates leading generation models (Kling, Veo, LTX, ElevenLabs, a...
⭐ 1· 95·0 current·0 all-time
byRobin Guignard-Perret@yxdunc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md clearly supports uploading media, running long-running generation, and building result URLs using the tellers CLI — that aligns with the skill name and description. However, the runtime instructions require a TELLERS_API_KEY and to install a CLI via 'brew tap tellers-ai/tellers', while the registry metadata lists no required env vars or install steps. The API key is reasonable for the claimed purpose, but the metadata/instructions mismatch is an incoherence.
Instruction Scope
Instructions explicitly tell the agent to run local CLI commands that read local file paths (e.g., /path/to/footage), spawn isolated subagents for long-running uploads/generations, parse JSON outputs, and construct app URLs. Those actions are expected for a CLI-backed video service. The only noteworthy scope issue is the advice to persist an API key in shell profiles (~/.zshrc, ~/.bashrc), which broadens where a secret is stored and could increase exposure.
Install Mechanism
The skill is instruction-only (no install spec in registry) but tells users to run 'brew tap tellers-ai/tellers && brew install tellers'. That uses a third‑party Homebrew tap rather than a standard, verified package source. Installing from an unfamiliar tap can pull arbitrary binaries; this is higher risk than using an official brew formula or a well-known release host.
Credentials
SKILL.md requires TELLERS_API_KEY (export TELLERS_API_KEY=sk_...), which is proportionate to the CLI's API usage. However, the registry metadata declares no required env vars (discrepancy). The instruction to add the API key export to persistent shell profiles increases surface for accidental disclosure. No other unrelated secrets are requested.
Persistence & Privilege
The skill does not request platform-level persistence (always: false) and does not modify other skills. It does instruct the user to persist an API key in shell startup files, which is a user-side persistence decision and increases long-term exposure of the secret but is not a skill-owned privilege escalation.
What to consider before installing
Before installing or using this skill, confirm the source and authenticity of the 'tellers' CLI and the 'tellers-ai' Homebrew tap (prefer official docs or GitHub releases). Expect to need a TELLERS_API_KEY even though the registry metadata omits it — verify where that key is stored and consider setting it only for the session (not in a shared ~/.zshrc) or using a dedicated, limited-permission key. Run the CLI in a sandbox or a throwaway environment first to observe behavior, and avoid exposing unrelated files. If you must add the API key to a profile, restrict file permissions and rotate the key if you stop using the skill. Finally, consider contacting the skill owner or choosing a skill with verifiable homepage/source before granting long-term access.Like a lobster shell, security has layers — review code before you run it.
latestvk97cd0gvt0dhm4dhm25gny2yyx84cakk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.