ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

unisk_video_notification_pro

v1.0.1

向指定手机号码发送IVVR视频通知,需要传入视频本地路径和手机号

0· 67·0 current·0 all-time
byZhangKai@zhu-xiao-di

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for zhu-xiao-di/video-notification-pro.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "unisk_video_notification_pro" (zhu-xiao-di/video-notification-pro) from ClawHub.
Skill page: https://clawhub.ai/zhu-xiao-di/video-notification-pro
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install zhu-xiao-di/video-notification-pro

ClawHub CLI

Package manager switcher

npx clawhub@latest install video-notification-pro
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md clearly implements an IVVR video-notification flow and requires BASE_URL, APP_ID, ACCESS_KEY, and ACCESS_SECRET — these environment variables are coherent with the described purpose. However, the registry-level metadata (Requirements) earlier in the package lists no required env vars, which is an inconsistency between the manifest and the runtime instructions and should be corrected/clarified before trusting the skill.
!
Instruction Scope
The runtime instructions read an arbitrary absolute local file path and upload that file to the configured BASE_URL, then trigger a remote notify endpoint. This is within the stated purpose but grants the skill the ability to read and transmit any file the agent is instructed to upload — a potential file-exfiltration vector if inputs are not tightly controlled. Additionally, the requests calls set verify=False (TLS verification disabled), which weakens transport security and risks man-in-the-middle interception of credentials or file data.
Install Mechanism
Instruction-only skill with no install spec and no code files beyond SKILL.md. This is low-risk from an installation perspective (nothing is downloaded or written by an installer).
Credentials
The number and type of environment variables (BASE_URL, APP_ID, ACCESS_KEY, ACCESS_SECRET) are proportionate to an API integration. The SKILL.md uses them and treats ACCESS_SECRET as secret material. The prior registry metadata failing to declare these required env vars is an inconsistency. Ensure these secrets are stored securely and scoped to the IVVR service; do not reuse high-privilege or cross-service credentials.
!
Persistence & Privilege
The skill does not request always:true and does not have install-time persistence, which is good. However, it is allowed to be invoked autonomously (platform default). Combined with its ability to read arbitrary local paths and upload them to an external endpoint, autonomous invocation increases risk: a compromised or misbehaving agent could be instructed to exfiltrate sensitive files. Consider limiting autonomous use or restricting allowed input paths.
What to consider before installing
Before installing, verify and correct the manifest inconsistency: the registry metadata should list the four required env vars. Only use this skill with a trusted IVVR BASE_URL and with credentials scoped narrowly to that service. Prefer enabling TLS verification (remove verify=False) so uploads and API calls verify server certificates. Restrict the allowed video_path inputs (e.g., accept files only from a dedicated media directory) to prevent accidental or malicious upload of sensitive files. Store ACCESS_SECRET and other credentials securely (do not reuse broad AWS/SSH/etc. secrets). If you allow autonomous invocation for this skill, be aware it can read and upload arbitrary local files; consider disabling autonomous invocation or adding path-validation safeguards if you cannot fully trust the agent or the remote service.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eheqzaerbphyed81mvq849x85fvap
67downloads
0stars
2versions
Updated 3d ago
v1.0.1
MIT-0
ZhangKai@zhu-xiao-di
latest
Download

视频通知工具

使用方法

直接输入对话: 给 15600766391 发视频通知,视频文件在 /home/hdjs/podcast-video/duan_input_video.mp4

工具会自动解析手机号与视频路径,并发送IVVR视频通知。

环境变量要求(必须配置)

  • BASE_URL
  • APP_ID
  • ACCESS_KEY
  • ACCESS_SECRET

限制

  • 视频必须是本地绝对路径
  • 大小 ≤ 5MB

Comments

Loading comments...