ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Carpet Wash Video

v0.1.0

Generate satisfying vertical carpet deep-clean shorts (WeryAI): text-to-video or dirty rug photo to rinse, grime runoff, and fiber revival. Use when you need...

0· 66·0 current·1 all-time
byparallel world@zoucdr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (carpet-cleaning short videos) match the declared runtime needs: Node.js and a WERYAI_API_KEY. The primary credential and binaries are what you'd expect for a remote video-generation API client.
Instruction Scope
SKILL.md confines runtime actions to: expanding prompts, validating inputs (https image URLs), and calling the WeryAI API via scripts/video_gen.js. It explicitly warns about secrets and endpoint overrides and does not instruct the agent to read unrelated files or other environment secrets.
Install Mechanism
There is no install spec (instruction + included CLI script). No downloads from untrusted URLs or archive extraction. The shipped Node script is self-contained and targets Node 18+ (which provides fetch).
Credentials
The only required environment variable is WERYAI_API_KEY (declared as primary). Optional overrides (WERYAI_BASE_URL, WERYAI_MODELS_BASE_URL) are documented. No unrelated tokens, credentials, or config paths are requested.
Persistence & Privilege
Skill is not 'always' enabled and is user-invocable. It does not request modifications to other skills or system-wide settings and does not persist additional credentials beyond using the provided API key at runtime.
Assessment
This package appears to do exactly what it says: call WeryAI to generate short carpet-cleaning videos. Before enabling, verify you trust the source and do not hardcode your WERYAI_API_KEY into the skill. If you plan to use alternative endpoint env vars (WERYAI_BASE_URL or WERYAI_MODELS_BASE_URL), confirm they point to trusted hosts — changing them can redirect your API key and data. Consider running the script in an isolated container or ephemeral account for higher assurance, and inspect scripts/video_gen.js yourself (it is small and network-only) if you have any doubt. Finally, follow the SKILL.md confirmation workflow so prompts, uploaded image URLs, and the expanded production prompt are reviewed by the user before submission.
scripts/video_gen.js:23
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97abe9tf972r0cttx8247yzc183aet7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧹 Clawdis
Binsnode
EnvWERYAI_API_KEY
Primary envWERYAI_API_KEY

Comments