ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

美甲制作过程视频

v1.0.1

生成美甲制作过程短视频。猫眼、流沙、星空、奶油胶、微缩立体美甲——小尺寸极高细节,近景治愈感强,支持节日主题,一句话出片。

0· 89·0 current·0 all-time
byparallel world@zoucdr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (nail-art short video generation) align with the included script (scripts/video_gen.js) which implements text/image→video submission, polling, and result extraction against a WeryAI-style API.
Instruction Scope
SKILL.md instructs the agent to run the bundled Node CLI (node scripts/video_gen.js ...) and to set WERYAI_API_KEY. Instructions focus on building prompts and confirming parameters — they do not ask the agent to read unrelated files or system secrets. However SKILL.md requires WERYAI_API_KEY while the registry metadata listed no required env vars (incoherent).
Install Mechanism
No install spec; the skill is instruction + a simple Node script with no npm dependencies. This is low-risk compared with remote installers or archives.
!
Credentials
The script requires an API key (WERYAI_API_KEY) to call remote generation APIs but the registry metadata omitted that requirement — a mismatch. The script also honors WERYAI_BASE_URL and WERYAI_MODELS_BASE_URL environment variables (defaults point to api.weryai.com and api-growth-agent.weryai.com). Allowing a custom base URL is reasonable for testing, but it means an attacker or misconfigured environment could redirect prompts and media to an arbitrary endpoint, enabling exfiltration of prompts/images and API keys if set.
Persistence & Privilege
The skill does not request always:true, does not modify system-wide configuration, and has no install step that persists privileged components. It runs as an explict user-invoked Node CLI per SKILL.md.
What to consider before installing
What to consider before installing: - The skill will send your prompts (and any input images) to a remote service and requires a WERYAI_API_KEY — do not provide sensitive credentials. The registry metadata omits this required env var; confirm the publisher updates metadata before trusting the package. - By default the script calls api.weryai.com and api-growth-agent.weryai.com. But it also accepts WERYAI_BASE_URL and WERYAI_MODELS_BASE_URL overrides; only set these to endpoints you fully trust because a malicious URL could receive your prompts and any images or API key. - The code is readable and matches the described functionality (text/image→video generation and polling). There is no hidden obfuscation or remote installers, so risk is primarily network/exfiltration and metadata mismatch. - Additional checks you can do: verify the WERYAI service and terms (privacy, data retention), request the publisher/homepage information (none provided), and ask them to update the registry to declare WERYAI_API_KEY as a required env var so the manifest matches runtime requirements. - If you must use this skill in a sensitive environment, avoid setting global env vars with broad credentials; use a dedicated, limited API key or proxy that filters data and points to a trusted backend.
scripts/video_gen.js:22
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a43s7gfpyz2d6gwcvbmsp8183cwgf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💅 Clawdis
Binsnode

Comments