Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
one-detail-reads-person-video-gen
v1.0.0Create vertical social-read shorts: one-cue thesis, example beat, playful closer, timed English captions (WeryAI). Use for psychology hooks, micro-behavior r...
⭐ 0· 61·0 current·0 all-time
byparallel world@zoucdr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (social-read short videos) align with the included assets: a Node.js CLI script (scripts/video_gen.js), documentation for WeryAI endpoints, and a single required environment variable WERYAI_API_KEY. Requiring node and the WeryAI key is proportionate to generating videos.
Instruction Scope
SKILL.md and resources explicitly describe prompt expansion, timed captions, and the CLI usage. They also document an 'advanced' flow where non-https image inputs are treated as local file paths that the script will read and upload to WeryAI. This local-file read-and-upload behavior is in-scope for image→video functionality but is a privacy-sensitive action and the skill correctly documents that you should review video_gen.js and give explicit consent before allowing local-path uploads.
Install Mechanism
There is no external install/download step; the package is instruction-plus-script with no network-based installer. No third-party packages are pulled at install time. This is low-risk from an install mechanism perspective.
Credentials
Only WERYAI_API_KEY is required (declared as primaryEnv). That single credential is appropriate for calling the WeryAI API and for the documented upload endpoint; no unrelated credentials or system secrets are requested.
Persistence & Privilege
The skill is not always-enabled (always:false) and does not request to modify other skills or global agent settings. It does not attempt to persist additional credentials or to escalate privileges in the package files provided.
Scan Findings in Context
[local-file-upload-to-growth-agent] expected: The script will read a local image file (if provided) and POST it to https://api-growth-agent.weryai.com/growthai/v1/generation/upload-file using WERYAI_API_KEY, then use the returned public https URL for generation. This behavior is necessary for image→video flows but is privacy-sensitive and the SKILL.md explicitly warns to review and consent.
[fixed-api-hosts-and-key-usage] expected: API hosts (https://api.weryai.com and https://api-growth-agent.weryai.com) are hard-coded in the script and the script reads only WERYAI_API_KEY. Fixed hosts and a single API key are expected for this integration.
Assessment
This skill appears coherent for generating short vertical videos with WeryAI. Before installing or running it: (1) Review scripts/video_gen.js yourself (or have a developer review it) if you plan to pass any local file paths — the script will read those files and upload them to an external WeryAI upload endpoint using your WERYAI_API_KEY. (2) Prefer supplying public https image URLs to avoid local uploads. (3) Use a least-privilege or short-lived WERYAI_API_KEY and avoid sharing other credentials. (4) Do not provide images of private individuals or non-public figures without consent; the SKILL.md already warns about privacy and content boundaries. (5) Ensure Node.js 18+ is available. If you cannot review the code or do not want any file reads/uploads, decline local-path usage and only provide public https image URLs or text-only prompts.scripts/video_gen.js:675
Environment variable access combined with network send.
scripts/video_gen.js:223
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97ekshxnqba3pvpj7ryegzbvn83cry3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎭 Clawdis
Binsnode
EnvWERYAI_API_KEY
Primary envWERYAI_API_KEY