Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Cinematic Story Video Gen
v0.1.0Generate and create cinematic story videos—film-language lighting, shallow depth of field, widescreen 16:9, orange–teal grade, narrative camera moves, and sc...
⭐ 0· 56·0 current·0 all-time
byparallel world@zoucdr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, required binary (node), single required env var (WERYAI_API_KEY), and bundled CLI + reference doc all align with a video-generation skill that calls WeryAI endpoints.
Instruction Scope
SKILL.md and scripts implement only the video generation flows described (text→video, image→video, multi-image). The script will read local image files and upload them to WeryAI when given local paths — this behavior is necessary for image→video but is a sensitive operation. SKILL.md mandates explicit user consent before uploads and any paid submit, but that is a policy/instruction (not programmatically enforced), so operators should verify consent flow in their agent integration.
Install Mechanism
No install spec; this is an instruction-only skill with a Node script. No downloads or third-party installers are pulled by the skill package itself.
Credentials
Only WERYAI_API_KEY is required (declared as primaryEnv). That single secret is appropriate and expected for contacting the WeryAI API; no unrelated credentials or broad system paths are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent platform privileges. It does not modify other skills or global agent configuration.
Assessment
This package appears to be what it says: a WeryAI video-generation CLI wrapper. Before installing or running it: (1) Review scripts/video_gen.js yourself or in a staging environment—the script will read local image files and upload them to WeryAI if you pass local paths. Only provide local file paths with explicit consent and awareness that the file will be transmitted to https://api-growth-agent.weryai.com. (2) Provision a scoped WERYAI_API_KEY (least privilege or limited-credit account) rather than using a high-privilege production key. (3) The SKILL.md requires explicit user confirmation before any paid submit; ensure your agent enforces that confirmation step (the script itself does not block submits based on consent). (4) Run in an isolated environment for higher assurance and avoid passing private/local file paths unless you've audited the upload behavior. If you want additional assurance, ask the publisher for a checksum or upstream source for the script and confirm the external hostnames match your expectations.scripts/video_gen.js:635
Environment variable access combined with network send.
scripts/video_gen.js:219
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97e0y4jz7dc2yzjcxy14afsqh83eba2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
Binsnode
EnvWERYAI_API_KEY
Primary envWERYAI_API_KEY