ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Generator

v1.0.0

AI 视频生成技能,支持 Luma Dream Machine、Runway ML、Kling AI 等多个平台。文生视频、图生视频。

0· 194·2 current·2 all-time
by@zhaozewen0519
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The script implements Luma, Runway, and Kling video generation and only needs an API key per platform. However, the skill metadata and registry list required binaries 'curl' and 'jq' even though the provided Python script uses urllib and base64 and does not call curl/jq. This mismatch is unnecessary for the stated purpose and suggests sloppy metadata or possible leftover requirements from a different implementation.
Instruction Scope
SKILL.md instructs the agent to run the included Python script and to supply an API key either via --api-key or environment variables. The instructions do not request unrelated system files, other credentials, or exfiltration endpoints; network calls are only to the named provider APIs.
Install Mechanism
There is no install spec (instruction-only skill with a bundled script). Nothing is downloaded at install time and no installers or arbitrary remote archives are referenced. Risk from installation is low.
Credentials
The code expects per-platform API keys (LUMA_API_KEY, RUNWAY_API_KEY, KLING_API_KEY), which are proportionate to the skill's function. Registry metadata shows no required env vars but SKILL.md lists these as optional — practically, the script will fail unless an API key is provided for the chosen platform, so you must supply those keys. No other credentials are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated persistence. It does write output files (videos) to paths you provide, which is expected behavior.
What to consider before installing
Before installing: (1) Understand you will need a valid API key for whichever provider you use (Luma/Runway/Kling); the script will send your key to those provider endpoints to create and download videos. (2) The skill metadata unnecessarily lists curl and jq even though the bundled Python script doesn't use them — this mismatch is not by itself malicious but is sloppy and worth asking the publisher to clarify or fixing locally. (3) Review the provider URLs in the script if you need to verify they are official endpoints. (4) Be careful with filenames/paths you pass (the script writes files to disk). (5) If you do not trust the unknown source owner, consider running the script in a sandboxed environment or inspect/modify the code (e.g., remove or correct metadata) before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk979j4xhv9q1cj66jgf3egyrmd835pkn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
Binscurl, jq

Comments