ClawHub

Garden Grow Video

v0.1.3

Generate vertical short videos of gardening and plant growth (WeryAI): seed germination, bloom and fruit, succulents, mushrooms, and time-lapse growth storie...

0· 86·0 current·1 all-time
byparallel world@zoucdr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (vertical garden/time-lapse videos) match the included script and SKILL.md. Requested items—Node.js and WERYAI_API_KEY—are appropriate and necessary for calling the WeryAI API; no unrelated credentials or binaries are required.
Instruction Scope
SKILL.md restricts inputs to public https image URLs, requires prompt expansion and confirmation, and instructs running the included Node CLI which performs only API requests and polling. It does not instruct reading arbitrary host files or harvesting unrelated environment data. It documents optional overrides and warns about verifying their hosts.
Install Mechanism
No install spec or third‑party downloads; the skill is instruction + a single script that runs under Node 18+. Nothing in the package performs arbitrary downloads or writes during installation.
Credentials
Only a single required secret (WERYAI_API_KEY) is declared as primaryEnv. Optional env vars (WERYAI_BASE_URL, WERYAI_MODELS_BASE_URL, poll/timing) are documented and host-validated in the script. No unrelated tokens, keys, or system credentials are requested.
Persistence & Privilege
Skill is not marked always:true and doesn't request persistent system privileges or modify other skills. It can be invoked by the agent (normal for skills) but has no elevated install-time privileges.
Assessment
This skill appears to do exactly what it claims: run a local Node script that calls WeryAI using your WERYAI_API_KEY and returns video URLs. Before installing/use: (1) only set WERYAI_API_KEY if you trust WeryAI and this skill's source; don't embed the key in code or repo; (2) review scripts/video_gen.js yourself (it contains the HTTP calls and host-allowlist logic) or run it in an isolated container to limit blast radius; (3) avoid setting WERYAI_BASE_URL / WERYAI_MODELS_BASE_URL unless you control/verify the host (the script allows only localhost or *.weryai.com); (4) be aware each run consumes paid credits—monitor usage and rate limits; (5) ensure any images you supply are public https URLs (no local file paths). Overall the package is internally consistent and proportional to its stated purpose.
scripts/video_gen.js:68
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.

Like a lobster shell, security has layers — review code before you run it.

latestvk976gc4h4mnbxmypxfjdees0r183a3b1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌱 Clawdis
Binsnode
EnvWERYAI_API_KEY
Primary envWERYAI_API_KEY

Comments