ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cute Pet Healing Video

v1.0.5

Generate vertical healing-style cute pet shorts (WeryAI): soft motion, warm soft light, slow pace and light ambience—strong completion on short-video feeds;...

0· 83·1 current·1 all-time
byparallel world@zoucdr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (generate short vertical pet videos) align with required runtime pieces: Node.js and a single WERYAI_API_KEY. The included CLI script and API host URLs match the described functionality; nothing requested appears unrelated to video generation.
Instruction Scope
SKILL.md limits scope to text-to-video and image-to-video flows and explicitly warns about local-file uploads and requiring user consent. The bundled script will read local image files and upload them if passed a local path — this is coherent with the stated image-to-video feature but is a sensitive operation that requires explicit opt-in and review before use.
Install Mechanism
No install/download step is present; the skill ships a single Node script and documentation. There are no external archive downloads, third-party package installs, or unknown remote install endpoints.
Credentials
Only one secret is required (WERYAI_API_KEY), which is the expected credential for the external WeryAI APIs. The script does not read other environment variables and API hosts are hard-coded as documented.
Persistence & Privilege
Skill is not always-enabled and does not request elevated platform privileges. It does not alter other skills or system-wide configs. Autonomous invocation is allowed by default but is standard behavior and not combined with other red flags here.
Assessment
This package appears coherent for generating pet videos, but review the bundled scripts before using them in a production environment. Specific suggestions: - Inspect scripts/video_gen.js yourself (or have someone you trust do so) before allowing any local image paths; the script will read the specified file and upload it to WeryAI using your WERYAI_API_KEY. - Prefer public https:// image URLs to avoid uploading local files. - Provide a short-lived or restricted WERYAI API key where possible and monitor account usage/billing, since each run consumes credits. - Run initial tests in an isolated environment or disposable account/container. - Confirm your Node 18+ runtime supports the fetch/FormData/Blob usage in the script, and that you consent explicitly before passing any file:// or local path to the skill.
scripts/video_gen.js:666
Environment variable access combined with network send.
!
scripts/video_gen.js:218
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cerjt3fffwj1b8j1nx21yy983ce2n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🐾 Clawdis
Binsnode
EnvWERYAI_API_KEY
Primary envWERYAI_API_KEY

Comments