ClawHub

Life Hack Video

v0.1.0

Generate vertical life-hack / gadget demo shorts (WeryAI): problem—tool—one-move payoff; stains, prep, storage, quick fixes. Use when you need a life hack de...

0· 96·0 current·1 all-time
byparallel world@zoucdr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binary (node), and required env var (WERYAI_API_KEY) align with a text/image-to-video generator that calls WeryAI. The included script implements HTTP calls to WeryAI endpoints consistent with the stated function.
Instruction Scope
SKILL.md confines runtime actions to expanding prompts, validating parameters, and invoking the bundled Node CLI (scripts/video_gen.js) which submits and polls WeryAI jobs. It does not instruct reading unrelated files, other env vars, or exfiltrating system data. It explicitly warns about treating the API key as a secret and about public https image URLs.
Install Mechanism
No install spec; the skill is instruction-only with a bundled Node script. There are no downloads from external or untrusted URLs and no archive extraction. Required runtime is Node.js 18+ (fetch is used), which is appropriate.
Credentials
Only one required environment variable (WERYAI_API_KEY) is declared and used as the API bearer token by the script. That single credential is proportionate to the skill's stated networked generation purpose; no other secrets or unrelated credentials are requested.
Persistence & Privilege
always is false and the skill is user-invocable. The skill does not request permanent presence or modify other skills/config. Autonomous invocation is allowed by default (disable-model-invocation: false) which is normal for skills and is not combined with other red flags here.
Assessment
This package appears internally consistent, but consider these precautions before enabling it with your real API key: (1) Only provide a WERYAI_API_KEY you trust — the script will send prompts and public image URLs to api.weryai.com and will consume WeryAI credits. (2) Do not commit the API key into repositories; use environment injection or a short-lived key. (3) Review scripts/video_gen.js (already bundled) yourself — it is the only code executed and it only performs HTTPS requests and polling. (4) Supply only public https image URLs (the skill rejects local paths). (5) If you worry about billing or data exposure, run in an isolated container/account or create a limited-key account with WeryAI. (6) Note the agent may invoke the skill autonomously when permitted by your agent policies — if you want stricter control, deny autonomous invocation in your agent settings before installing.
scripts/video_gen.js:455
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.

Like a lobster shell, security has layers — review code before you run it.

latestvk97beyq33j2nd9wzrf18wecfe983a2xq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💡 Clawdis
Binsnode
EnvWERYAI_API_KEY
Primary envWERYAI_API_KEY

Comments