Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Story Video Generator
v1.0.0从图片或文字描述自动生成完整视频故事。支持灵活输入(1-N张图片/纯文字/混合),可选时长和风格。当用户要求生成视频故事、视频短片、图片转视频、文字转视频时使用。
⭐ 0· 29·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name and description match the runtime instructions: script → frames → segments → BGM → merge. However, the skill assumes the presence (or automatic installation) of FFmpeg and relies heavily on opaque tools (images_understand, gen_images, gen_videos, gen_music) without declaring them as required binaries, services, or credentials — this omission is unexpected for an end-to-end generator.
Instruction Scope
SKILL.md stays within the stated purpose: it reads user images/text, generates scripts, writes outputs under output/, and runs FFmpeg to merge. It does not instruct access to unrelated system files or secrets. The only scope concern is the broad autonomy given to call external generators (gen_* and LLM) whose network/data handling is unspecified.
Install Mechanism
There is no install spec, yet the instructions say 'check FFmpeg and install if not available'. Without an install mechanism, it is unclear how FFmpeg would be installed (which package source, whether network downloads occur, or whether elevated privileges are required). This ambiguity increases risk.
Credentials
The skill requests no environment variables, credentials, or config paths. That is proportionate to its stated purpose. However, because it invokes opaque gen_* services and an LLM, the absence of any declared API keys or endpoints is a gap: if those tools use remote APIs, credentials or network access will be needed but are not documented.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system-wide privileges. It writes files only under an output/ directory as part of normal operation. No modifications to other skills or global agent settings are described.
What to consider before installing
This skill appears to implement the claimed video-generation workflow, but before installing you should verify a few things: (1) Confirm what the gen_* tools and the 'images_understand' and LLM calls actually are — are they local binaries/plugins, or cloud APIs that will send user images/text off-host? (2) Clarify how FFmpeg will be installed if missing (which installer, will it download from the network, require sudo?). (3) Ask whether any external services require API keys or billing (none are declared). (4) If privacy is a concern, require explicit confirmation that user media will not be uploaded to third-party endpoints, or run the skill in a sandboxed environment. If the developer can provide an install spec (or declare that gen_* are built-in safe tools and how FFmpeg is installed), the remaining issues would be resolved.Like a lobster shell, security has layers — review code before you run it.
latestvk970bqzasd3dpczfz2pqjp3ewd8467q1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.