ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Miniature Build Video

v1.0.5

Generate vertical miniature build & reveal shorts (WeryAI): text or finished-shot image to shallow-depth push-ins, lights coming on, immersive camera. Use wh...

0· 60·0 current·0 all-time
byparallel world@zoucdr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (miniature video generation) matches the actual footprint: Node.js CLI + network calls to WeryAI. Required binary (node) and required env var (WERYAI_API_KEY) are appropriate and expected.
Instruction Scope
SKILL.md and resources instruct the agent to run scripts/video_gen.js and to provide either public https image URLs or local image paths; the bundled script will read local image files (if given) and upload them to WeryAI. The README warns about this and recommends review/consent and using --dry-run first. This behavior is in-scope for an image→video tool but is important to notice because local files will be read and transmitted to the provider if used.
Install Mechanism
Instruction-only skill with a bundled script; no installer or remote downloads. Nothing is fetched or executed from untrusted URLs during install.
Credentials
Only one secret (WERYAI_API_KEY) is required and is the expected credential for the declared provider. No unrelated credentials, host overrides, or excessive env requirements are present.
Persistence & Privilege
always: false and normal autonomous invocation settings. The skill does not request persistent system-wide privileges or modify other skills’ configuration.
Assessment
This package is coherent with its stated purpose, but review and consider the following before installing: (1) Only set WERYAI_API_KEY if you trust WeryAI and the skill author — the key is used to authenticate API calls and uploads. (2) Do not include secrets in prompts or image metadata. (3) Prefer supplying public https image URLs; if you supply local file paths the script will read those files and upload them to WeryAI (consuming credits). (4) Use node scripts/video_gen.js --dry-run first to inspect the JSON shape without performing network calls. (5) If you need strict data control, do not set the key or run this in an isolated/test environment. Review scripts/video_gen.js yourself if you have any doubt.
scripts/video_gen.js:675
Environment variable access combined with network send.
!
scripts/video_gen.js:223
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9749d2b195577be38mvqdy4kh83cy0h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏗️ Clawdis
Binsnode
EnvWERYAI_API_KEY
Primary envWERYAI_API_KEY

Comments