ClawHub

Art Process Video

v0.1.2

Generate vertical short videos of painting / retouching creative process (WeryAI): layered progression from sketch to finish—illustration coloring, posters,...

0· 83·0 current·1 all-time
byparallel world@zoucdr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (art process video generation) match the declared requirements: Node.js 18+, a single service API key (WERYAI_API_KEY), and an included CLI script that calls WeryAI video endpoints. Nothing required (binaries, env vars, or config paths) appears unrelated to video generation.
Instruction Scope
SKILL.md instructs the agent to expand prompts and run the provided script with the expanded prompt, require public https image URLs, present a confirmation step, and surface API errors. It does not instruct reading unrelated files or exfiltrating arbitrary data. The docs explicitly warn about secrets and URL overrides.
Install Mechanism
No install spec (instruction-only plus a shipped Node script). No external downloads or installers are requested. The runtime relies on Node 18+ (fetch available) and the included script, which is visible in the package.
Credentials
Only WERYAI_API_KEY is required (declared as primaryEnv). Optional environment variables (WERYAI_BASE_URL, WERYAI_MODELS_BASE_URL, WERYAI_POLL_INTERVAL_MS, WERYAI_POLL_TIMEOUT_MS) are documented and limited; the script enforces an allowlist for host overrides (only weryai.com subdomains and localhost/127.0.0.1 are accepted), which constrains accidental exfiltration. Requesting an API key is proportionate.
Persistence & Privilege
always is false and the skill does not request system-wide persistence or modification of other skills. Autonomous invocation is allowed (platform default) but not combined with elevated privileges.
Assessment
This package appears coherent and implements a Node CLI that calls WeryAI with a single required API key. Before installing or supplying secrets: 1) Review the included scripts (scripts/video_gen.js) yourself — the source in the package is the runtime code. 2) Do not set WERYAI_BASE_URL or MODELS_BASE_URL to untrusted hosts; the script will ignore non-weryai hosts but double-check any overrides. 3) Use a short-lived or scoped API key or an account you control and monitor usage (generations consume credits). 4) Make sure image inputs are public https URLs as required. 5) Because the package source/homepage is unknown, prefer testing in an isolated environment/container and rotate the API key if you later revoke access. If you want higher assurance, provide the full (untruncated) scripts for independent review or verify the publisher's reputation.
scripts/video_gen.js:68
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.

Like a lobster shell, security has layers — review code before you run it.

latestvk97datxc1fb5pkf44dbw4rjw8183a03s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎨 Clawdis
Binsnode
EnvWERYAI_API_KEY
Primary envWERYAI_API_KEY

Comments