ClawHub

Hair Makeover Video

v0.1.4

Generate vertical short videos of hair makeover / dye transformation (WeryAI): scissor cuts, color gradients, and strong before/after contrast. Use when you...

0· 95·0 current·1 all-time
byparallel world@zoucdr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the actual behavior: the code and SKILL.md call WeryAI video generation endpoints and require Node + WERYAI_API_KEY. There are no unrelated credentials or binaries requested.
Instruction Scope
SKILL.md confines actions to preparing prompts, calling the provided script, and showing results. It explicitly forbids local file inputs and documents which env var is read. The runtime instructions do not ask the agent to read unrelated files or secrets.
Install Mechanism
No install spec — the skill is instruction+script only. The script is plain Node.js (no download-from-unknown-URL behavior) and uses standard fetch calls to the documented API hosts.
Credentials
Only WERYAI_API_KEY is required and declared as the primary credential, which is proportional for a hosted-video-generation integration. No other secrets or config paths are requested.
Persistence & Privilege
always is false and the skill does not request elevated platform privileges or modify other skills. Autonomous invocation is allowed (platform default) but is not combined with broad credential access.
Assessment
This skill appears to do exactly what it claims: it runs a local Node script that calls WeryAI endpoints and needs only your WERYAI_API_KEY. Before installing: (1) confirm you trust WeryAI and understand billing/credit usage (the SKILL.md warns calls consume credits); (2) provide the API key only to environments you control (don't paste it into chat or commit it to repos); (3) review scripts/video_gen.js yourself if you want to verify there are no hidden endpoints — the code shows requests go to api.weryai.com and api-growth-agent.weryai.com; (4) follow the SKILL.md guidance to use public https image URLs and run in an isolated container if you want extra assurance. If you need provenance of the skill/author or an official homepage, note the package metadata lists an unknown source and no homepage — that lack of publisher transparency is a separate trust consideration though not inconsistent with the skill's functionality.
scripts/video_gen.js:455
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.

Like a lobster shell, security has layers — review code before you run it.

latestvk97240nec893yy2q7hy92t3zgh83ax8s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💇 Clawdis
Binsnode
EnvWERYAI_API_KEY
Primary envWERYAI_API_KEY

Comments