Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
迷你厨房烹饪视频
v1.0.1生成迷你厨房烹饪短视频。支持文字描述直接出片,或将迷你厨具/食材图片转为真实烹饪动效。聚焦超小炊具的精致感、食材在微型锅具中的真实烹饪过程,以及反差萌带来的治愈停留效果。
⭐ 0· 90·0 current·0 all-time
byparallel world@zoucdr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's name/description match the observed behavior: it constructs prompts and calls a video-generation API. However the SKILL.md and script explicitly require WERYAI_API_KEY (and optional WERYAI_BASE_URL / WERYAI_MODELS_BASE_URL), yet the registry metadata lists no required environment variables. That mismatch is incoherent and should be resolved before trusting the skill.
Instruction Scope
Runtime instructions ask the agent to run the bundled Node CLI (scripts/video_gen.js) to submit text/image prompts and image URLs to the WeryAI endpoints and poll for results. That scope is consistent with generating videos, but it means user-supplied text, prompts, and any image URLs will be transmitted to an external API (api.weryai.com by default). The SKILL.md does request public HTTPS image URLs only, which reduces some leakage risk but does not prevent sensitive data from being sent if provided.
Install Mechanism
There is no install spec (instruction-only) and the only runtime dependency is Node.js (declared in SKILL.md). The included script has no obfuscated code and uses plain HTTP JSON requests to documented endpoints. No remote downloads or archive extraction are performed by the skill itself.
Credentials
The script and SKILL.md require WERYAI_API_KEY to operate. Requiring a single API key for an external generation service is reasonable for the feature, but the skill metadata/registry omitted this required env var — an important omission. The script also supports optional WERYAI_BASE_URL and WERYAI_MODELS_BASE_URL overrides, which is reasonable but means the endpoint could be redirected if those env vars are set unexpectedly.
Persistence & Privilege
The skill does not request permanent/always-on presence and does not attempt to modify other skills or system-wide agent settings. It executes a CLI script on demand and returns URLs; no elevated platform privileges are requested.
What to consider before installing
Before installing: (1) Understand that this skill will send your text prompts and any image URLs you provide to an external service (api.weryai.com by default). Do not provide sensitive or private images/URLs. (2) The SKILL.md and script require WERYAI_API_KEY, but the registry metadata omitted that requirement — confirm how the API key is supplied and stored. (3) Prefer using an ephemeral or limited-permission API key when testing. (4) Verify the endpoint (WERYAI_BASE_URL) if you need to ensure traffic goes to an approved host. (5) Review the included scripts/video_gen.js yourself (it is present and not obfuscated) and test with --dry-run if available to observe behavior before giving credentials. (6) Because the skill source and homepage are unknown, treat it as lower-trust: audit or run in an isolated environment if possible.scripts/video_gen.js:22
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk974qdy4drgap8pg4pyhqqgh9s83d6c5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🍳 Clawdis
Binsnode