Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
收纳整理解压视频
v1.0.5Generate vertical shorts of organizing from chaos to order (WeryAI): closets, fridges, vanities, desks, luggage. Use when you need organizing satisfying vide...
⭐ 0· 61·0 current·0 all-time
byparallel world@zoucdr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (organizing video generation) match the code and docs: the CLI calls WeryAI endpoints to create videos. Declared requirements (node, WERYAI_API_KEY) are necessary and expected for this functionality.
Instruction Scope
SKILL.md and bundled docs clearly describe runtime behavior and explicitly warn that local files may be read and uploaded to WeryAI; they require the API key for non-dry-run operations and instruct prompt expansion before submit. This is within scope, but the ability to read local image files and upload them is a material data-flow decision users must review before enabling the key (SKILL.md already highlights this).
Install Mechanism
There is no external install script or downloader; the skill is instruction-first and bundles a single Node.js script. No suspicious download URLs or extract steps are present.
Credentials
Only a single credential is required (WERYAI_API_KEY) and it is the primaryEnv; that is proportionate for a skill that calls WeryAI APIs. No unrelated secrets or config paths are requested.
Persistence & Privilege
The skill does not request always:true and has no install-side persistence. It does network calls when run and may upload local files only when invoked; autonomous invocation is allowed by default but not unusually privileged here.
Assessment
This package appears coherent for generating videos via WeryAI, but take the following precautions before installing or setting WERYAI_API_KEY:
- Only set WERYAI_API_KEY if you trust WeryAI and understand billing/permissions; prefer a limited/test key first.
- Review scripts/video_gen.js before any paid run to confirm it handles local files in a way you accept — the CLI will read local image files and upload them (creating a public URL) if you pass local paths.
- Prefer supplying public https:// image URLs rather than local files to avoid uploading local content.
- Use the provided --dry-run paths to inspect JSON the CLI would send before performing paid operations.
- Ensure Node.js 18+ is available and monitor usage/costs when you submit jobs.scripts/video_gen.js:675
Environment variable access combined with network send.
scripts/video_gen.js:223
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97b92ztv0v4d3tjgtxe27856983cmda
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📦 Clawdis
Binsnode
EnvWERYAI_API_KEY
Primary envWERYAI_API_KEY