ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

wan-video-gen

v0.1.0

基于阿里云百炼 Wan 文生视频模型的视频生成 skill。支持提交视频生成任务、轮询任务状态、下载生成视频到本地。 当用户需要根据提示词生成视频、继续查询已有视频生成任务,或用 Wan 系列模型生成带声/无声视频时,使用此 skill。

0· 87·1 current·1 all-time
byWei Zhou@zhouweico
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Wan video generation) match required binary (node), the single required env var (DASHSCOPE_API_KEY), and the code which calls the DashScope endpoints. The provided pricing and polling behaviour are consistent with a video-generation CLI.
Instruction Scope
SKILL.md restricts actions to creating/polling tasks and downloading results. The script reads config.json (in the skill folder) and may read an optional env var (WAN_VIDEO_MODEL) as a selection override — WAN_VIDEO_MODEL is not declared in requires.env but is harmless. The script writes downloaded MP4s to outputs/ and may create config.json if the user uses that setup path.
Install Mechanism
No install spec (instruction-only + a Node script). No remote downloads or archive extraction. Only dependency is Node.js >=18 which is declared.
Credentials
Only one credential is required (DASHSCOPE_API_KEY) which is appropriate for calling the DashScope API. The code will also read config.json if present and an optional WAN_VIDEO_MODEL environment variable (not declared). If you store the API key in config.json it will be on disk — using an env var is preferable.
Persistence & Privilege
Skill is not always-enabled and does not request persistent platform privileges. It writes outputs to a local outputs/ directory and reads config.json from the skill folder — this is normal for a CLI-style tool.
Assessment
This skill appears coherent for generating videos via Aliyun DashScope. Before installing, confirm you trust the DashScope endpoint (dashscope.aliyuncs.com) and are willing to provide its API key. Prefer setting DASHSCOPE_API_KEY as an environment variable rather than storing API keys in config.json on disk. Be aware the script will create an outputs/ directory and download MP4 files (potentially large) and will make network requests (POST to create tasks, GET to poll tasks). Also review cost estimates and use --dry-run to inspect request bodies before submitting tasks. If you need to restrict environment exposure, ensure the agent runtime does not expose other secrets to the skill and check for any organizational policy about external API keys.
scripts/wan-video-gen.js:288
Environment variable access combined with network send.
!
scripts/wan-video-gen.js:173
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk970qn2ztjkjxe2vfxk94nyf3s83j9mn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode
EnvDASHSCOPE_API_KEY
Primary envDASHSCOPE_API_KEY

Comments