Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
one-number-explains-video-gen
v1.0.0Create vertical data-stat hooks: hero number, ramping counter or graph, closing meaning line, timed English captions (WeryAI). Use for dataviz Shorts, macro...
⭐ 0· 93·0 current·0 all-time
byparallel world@zoucdr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (one-number data-hook video generation) match the declared requirements: Node.js runtime and a single WERYAI_API_KEY. The code and resource docs implement a CLI that calls WeryAI video endpoints (text-to-video, image-to-video, multi-image) which is expected for this purpose.
Instruction Scope
SKILL.md and the included resources limit scope to building video prompts, running node scripts, and interacting with WeryAI. The script can read local image files and upload them to WeryAI (to produce a public HTTPS URL) — this local-read-and-upload behavior is documented in SKILL.md and resources, and the skill explicitly asks for review/consent before using local paths. That capability is within scope for image→video flows but is important to note before allowing local file access.
Install Mechanism
No install spec (instruction-only with a shipped Node script). No external downloads or package registry installs are required. The script is self-contained and declares zero npm dependencies, which is proportionate.
Credentials
Only one secret is required: WERYAI_API_KEY (declared as the primary credential). That single API key is appropriate for an integration that authenticates to WeryAI for model listing, generation, and (optionally) file upload. No unrelated credentials or extra environment variables are requested.
Persistence & Privilege
The skill is not always-included and does not request elevated/ongoing platform privileges. It does not attempt to modify other skills or system-wide config. Autonomous invocation remains allowed by platform default but is not combined with other red flags here.
Assessment
This skill appears to do what it says: it runs a Node CLI that calls WeryAI endpoints and requires only WERYAI_API_KEY. Before use: (1) review scripts/video_gen.js if you plan to supply local image paths — the script will read local files and POST them to api-growth-agent.weryai.com using your WERYAI_API_KEY to obtain a public URL; only allow that if you explicitly consent to uploading those files. (2) Prefer supplying public https:// image URLs to avoid local uploads. (3) Treat WERYAI_API_KEY as a secret (use a short-lived or scoped key if possible), and run generation in an isolated environment if you are concerned about data exposure. (4) If you need stronger assurance, inspect the remainder of the shipped script (the main entrypoint) to confirm it only reads WERYAI_API_KEY and the documented hosts.scripts/video_gen.js:675
Environment variable access combined with network send.
scripts/video_gen.js:223
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk970cd3pgfhhcxsdft067qqtr983cebp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔢 Clawdis
Binsnode
EnvWERYAI_API_KEY
Primary envWERYAI_API_KEY