ClawHub

Cake Decor Video

v0.1.0

Generate vertical short videos of cake decorating and pastry finishing (WeryAI): frosting, piping, mirror glaze, and other high-aesthetic handmade beats. Use...

0· 77·0 current·1 all-time
byparallel world@zoucdr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (cake-decor video generation) match the declared requirements: Node.js and a single WERYAI_API_KEY. The included CLI script and SKILL.md implement text/image-to-video submission and polling against WeryAI endpoints — expected for this purpose.
Instruction Scope
SKILL.md instructs the agent to expand prompts, require public https image URLs, confirm parameters, and then run the provided node CLI. It also documents and warns about optional environment variable overrides (WERYAI_BASE_URL / WERYAI_MODELS_BASE_URL) that, if set to untrusted hosts, could redirect the API key and data — this is an expected testing hook but a real risk if environment is tampered with.
Install Mechanism
No install spec; the skill is instruction + a single standalone Node script with no npm dependencies. This is low-risk compared with downloading/executing external archives. Node 18+ is required (fetch/AbortController usage is consistent).
Credentials
Only WERYAI_API_KEY is required (primary credential) plus optional host overrides and poll timing vars. These are proportionate to a remote-generation skill. There are no unrelated secret requests (no AWS, GitHub tokens, etc.).
Persistence & Privilege
Skill is not always-on (always:false) and is user-invocable. It does not request elevated system persistence or modify other skills/config; autonomous invocation is allowed but is the platform default.
Assessment
This package appears to do what it says: submit expanded prompts and optional image URLs to WeryAI and poll for results. Before installing, confirm you trust the WERYAI service and the skill source, and only set WERYAI_API_KEY in environments you control. Review scripts/video_gen.js yourself (it is small and readable) and do not set the WERYAI_BASE_URL or WERYAI_MODELS_BASE_URL to unknown hosts (those overrides can redirect your API key and content). Consider running first in a disposable account or container and be aware each run consumes paid credits.
scripts/video_gen.js:23
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.

Like a lobster shell, security has layers — review code before you run it.

latestvk974cdsb33dthry1g2sw4mwhwh83a495

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎂 Clawdis
Binsnode
EnvWERYAI_API_KEY
Primary envWERYAI_API_KEY

Comments