Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Hailuo Ai
v1.0.0MiniMax 海螺 AI 视频生成助手,精通文生视频、图生视频、主体参考、多镜头
⭐ 0· 112·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md explicitly documents calling a MiniMax/Hailuo REST API and demonstrates using API_KEY/Authorization bearer tokens. However the skill metadata lists no required environment variables or primary credential. A video-generation integration legitimately needs an API key; the manifest's omission is incoherent and could lead to unexpected behavior (agent trying to use any available API_KEY in the environment).
Instruction Scope
The instructions stay within the expected scope for a video-generation helper (construct prompts, call remote video_generation endpoints, poll for results, accept image URLs as first frames). They do instruct the agent to send prompts and uploaded reference images to an external API; that is expected for this purpose but represents data exfiltration of whatever the user supplies (prompts, images, possibly private data). The SKILL.md does not instruct the agent to read unrelated local files or other environment variables.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so there is nothing written to disk or downloaded during install — this is low-risk from an installation standpoint.
Credentials
The runtime examples require an API key (API_KEY) and call a remote endpoint, but requires.env and primary credential are empty. The skill should declare the single credential it needs (e.g., MINIMAX_API_KEY or HAILUO_API_KEY) and mark it as primary. Without that declaration it's unclear what environment variables the agent will use, and it may pick up unrelated credentials in the environment.
Persistence & Privilege
The skill does not request persistent presence (always is false), does not modify system or other skills' configuration, and declares no config paths. Autonomous invocation is allowed by default but is not combined here with other elevated privileges.
What to consider before installing
This skill appears to be a straightforward helper for Hailuo/MiniMax video generation, but the SKILL.md shows it needs an API key while the manifest does not declare any required credentials. Before installing: 1) ask the publisher to add a declared primary credential (e.g., HAILUO_API_KEY) in requires.env so you know exactly what will be used; 2) verify the API endpoint domain (https://api.minimaxi.chat) and the provider's privacy/retention policy — prompts and any uploaded images will be sent to that service; 3) avoid sending sensitive images or PII to the service, or test with non-sensitive data first; 4) use a scoped, limited-privilege API key (or test/dummy key) rather than a long-lived account key; 5) if you require stronger assurance, request an explanation from the maintainer why credentials were omitted in the manifest and ask for an explicit primaryEnv entry before enabling the skill.Like a lobster shell, security has layers — review code before you run it.
latestvk97b7y0rhbeqac46er7702ksqd83dxem
License
MIT-0
Free to use, modify, and redistribute. No attribution required.