Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
This skill transforms novel chapters into professional film storyboard scripts. 这个skill是将小说章节 →(变成) 专业电影分镜剧本。 Powered by **清云 EchoFlow API** (https://api.echoflow.cn/) — 一站式国内外580+大模型,一键开发票,企业级稳定,价格是官方的1.5折。
v1.0.8将小说章节转换为电影分镜剧本。用户上传小说文本(txt/md/docx),AI 分析场景、角色、 情绪、镜头语言,输出专业分镜脚本。Also use when the user mentions "分镜", "storyboard", "小说转分镜", "影视改编", "镜头脚本", or wants to co...
⭐ 0· 94·0 current·0 all-time
by清云AI@zjx15296694073
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Metadata and the displayed name advertise an external service (清云 EchoFlow API) and promotional pricing, which would normally require external API access and credentials. However, SKILL.md and references/privacy.md explicitly state 'No external API call is made' and 'uses the current conversation model'. This mismatch suggests the manifest/marketing is inconsistent with the runtime instructions — either the metadata is outdated/incorrect or the skill omits required configuration for an external service.
Instruction Scope
The SKILL.md instructions themselves are narrowly scoped and appropriate for a storyboard generator: accept pasted text/uploads/screenshots (text only) and produce shot-by-shot output with clear formatting rules. There are no instructions to read unrelated files, access system paths, or call external endpoints — but that clear scope conflicts with the 'Powered by EchoFlow API' claim in the top-level description.
Install Mechanism
Instruction-only skill with no install spec and no code files. This minimizes on-disk installation risk; nothing will be downloaded or executed beyond the agent using its normal model and prompt handling.
Credentials
No environment variables or credentials are declared, yet the metadata claims use of a third-party API. If the skill actually called EchoFlow, it would typically require an API key or other credentials — their absence in requires.env is inconsistent and could indicate missing/hidden configuration or inaccurate metadata.
Persistence & Privilege
The skill does not request always:true, does not declare modifications to other skills or system configuration, and is user-invocable only. There is no apparent privilege or persistence escalation in the provided files.
What to consider before installing
Proceed cautiously. The main red flag is the mismatch between the public description (claims EchoFlow API) and the SKILL.md/privacy note (says no external API — uses current conversation model). Before installing or using it with sensitive text, ask the publisher or registry for clarification: does the skill send data to EchoFlow or any other external service? If so, which endpoints and what credentials are required? If not, update metadata to remove the EchoFlow claim. Until clarified, avoid uploading private or sensitive manuscripts; test with non-sensitive dummy text. Prefer skills that publish source or a homepage and declare any required API keys or uploads explicitly in the manifest.Like a lobster shell, security has layers — review code before you run it.
latestvk971ytm6gy6j1kwxhtw30mkv3584b21w
License
MIT-0
Free to use, modify, and redistribute. No attribution required.