Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
fotor-skills
v1.0.12An all-in-one AI photo editor and AI video generator for generating, editing, transforming, and enhancing images and videos. Create product photos, ad creati...
⭐ 0· 163·0 current·0 all-time
by@zeng121
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (AI photo/video generation) match the declared requirements: a FOTOR_OPENAPI_KEY and the 'uv' bootstrap tool are required and used by the bundled scripts. The Python scripts implement task running, uploading, SDK installation, and update checking which are reasonable for an API client SDK.
Instruction Scope
SKILL.md instructs the agent/user to create a local .venv, run bundled Python scripts, and set FOTOR_OPENAPI_KEY. The scripts perform network calls to Fotor endpoints (e.g., api-b.fotor.com) and GitHub (for update checks) and implement a signed-file upload flow that uploads local files to a signed target. The update checker searches for skills-lock.json in parent directories (it may read a skills-lock.json outside the skill directory). These behaviors align with an SDK but mean scripts will read some repo metadata and make outbound network requests.
Install Mechanism
There is no formal install spec in the registry, but SKILL.md recommends installing 'uv' by piping a remote install script (curl | sh) from https://astral.sh/uv/install.sh or its PowerShell analogue. The bundled Python installation uses uv to run pip against the local venv and installs the fotor-sdk from PyPI. The remote bootstrap step is common but increases operational risk — inspect the install script before running it.
Credentials
Only one required environment variable is declared (FOTOR_OPENAPI_KEY), which is the expected credential for this SDK. The code optionally uses FOTOR_OPENAPI_ENDPOINT in references/examples; no unrelated secrets (AWS, GitHub tokens, etc.) are requested. Required config paths (_meta.json, skills-lock.json) are metadata files used by the update-checker and are not credentials, though the update-checker may read skills-lock.json from parent directories.
Persistence & Privilege
The skill does not request always:true and does not declare any elevated privileges. It does include an update checker that may call external services and uses local state files (default state dir) but it does not attempt to modify other skills or system-wide settings.
Assessment
This skill appears to be what it claims: an SDK and scripts that call Fotor's OpenAPI and upload images/videos. Before installing or running: 1) Do not paste your real API key into public chat—use a local .env or an environment variable and add .env to .gitignore (the repo's reference docs recommend this). 2) Inspect any remote 'curl | sh' installer (the UV bootstrap URL) before running it; you can instead install 'uv' from trusted package sources or set up Python/venv manually. 3) Be aware that scripts will make outbound network calls (Fotor API, GitHub for update checks) and that the update checker looks for skills-lock.json in parent directories — it can read repository metadata outside the skill folder. 4) If you need stricter isolation, run the scripts in a disposable VM/container or inspect scripts (scripts/run_task.py, upload_image.py, check_skill_update.py) to confirm they meet your privacy/security needs. If you want, I can point to the exact lines that perform network calls and where uploads occur.Like a lobster shell, security has layers — review code before you run it.
latestvk973gjtey2g9dmm5mmkna2f7y184dkf4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsuv
EnvFOTOR_OPENAPI_KEY
Config_meta.json, skills-lock.json
Primary envFOTOR_OPENAPI_KEY