Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Vibbit SKILL
v1.0.7调用 Vibbit OpenAPI 完成五类能力——AI 生图、解析抖音/小红书/B站链接、爆款视频拆解、查询当前用户可用的数字人列表、初始化数字人口播视频工作流。当用户说"生成一张图 / AI 出图"、"解析这个抖音/小红书/B站链接"、"拆解一下这条爆款 / 视频拆解"、"看看我有哪些数字人 / 列一下数字人...
⭐ 0· 85·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description map to a CLI wrapper around Vibbit OpenAPI. The single required credential (VIBBIT_API_KEY) and optional VIBBIT_BASE_URL match the stated purpose. Requiring ffprobe as optional fallback is reasonable for file probing.
Instruction Scope
SKILL.md and the script explicitly instruct the agent to fetch metadata for user-supplied material URLs via https://tools.vibbit.ai/api/file-info and, if that fails, to download the URL content locally for size/dimensions parsing. It also requires always running gen_image before oral_broadcast by default (unless user opts out). These behaviors are documented, but they mean user-provided URLs and their metadata are transmitted to external services and arbitrary URLs may be downloaded by the runner.
Install Mechanism
No install spec; the skill is an instruction + single JS script requiring Node 18+. No external downloads or installers are embedded in the manifest.
Credentials
Only VIBBIT_API_KEY (primary) and optional VIBBIT_BASE_URL are requested. This is proportional to a wrapper that must authenticate to Vibbit. The API key grants access to the user's Vibbit tenant and will be used to submit tasks and read results — treat it as sensitive.
Persistence & Privilege
always is false; the skill does not request forced persistent inclusion or system-wide config changes. It can be invoked autonomously (default), which is normal for skills.
Assessment
This skill behaves like a documented Vibbit OpenAPI client — it will send requests to the Vibbit service using VIBBIT_API_KEY and will also POST user-supplied material URLs to https://tools.vibbit.ai/api/file-info (or download those URLs locally) to build file metadata. Before installing: (1) Only provide an API key you trust and that is scoped appropriately; treat VIBBIT_API_KEY as sensitive. (2) Avoid supplying private or authenticated URLs or sensitive media unless you are comfortable that those URLs (and their metadata) will be transmitted to Vibbit/tools.vibbit.ai. (3) Note the skill may auto-trigger for matching user intents; confirm you want that behavior. If you need stronger privacy guarantees, ask for the vendor's data/retention policy or use an isolated environment and a limited-scope API key; rotate the key if you suspect misuse.scripts/vibbit.js:257
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97enbnvf1esz4nj5d1w0ac28184k9br
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Any binffprobe
EnvVIBBIT_API_KEY
Primary envVIBBIT_API_KEY
Environment variables
VIBBIT_API_KEYrequired— 集思平台 API Key,前往 https://app.vibbit.cn/api-keys 获取VIBBIT_BASE_URLoptional— API 地址,默认 https://openapi.vibbit.cn,切换测试环境时使用