Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
outfit-transition-video
v1.0.0Generate vertical shorts of anthropomorphic outfit changes on beat (WeryAI): one-second cuts, style jumps, accessory macros. Use when you need outfit transit...
⭐ 0· 60·0 current·0 all-time
byparallel world@zoucdr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (outfit transition video) align with requested artifacts: Node.js and a single WERYAI API key. Required binaries, env var, and included resources reference WeryAI endpoints and the bundled CLI; nothing requests unrelated cloud credentials or system-level access.
Instruction Scope
SKILL.md tightly scopes runtime behavior: expand prompts, present confirmation table, prefer public https image URLs, and only use local image files after explicit consent. The bundled scripts/video_gen.js implements local-file handling (reads files and uploads them to api-growth-agent.weryai.com when an image value is not a public https URL). This is documented in SKILL.md, but reviewers/installers should verify and explicitly consent before allowing local-file uploads because the script will read disk and send file contents (using the same WERYAI_API_KEY).
Install Mechanism
No install spec — instruction-only with a shipped JS script. No network-install download steps or obscure installers. The risk surface is limited to running the included Node.js script; reviewers should still inspect the script before running it in production.
Credentials
Only WERYAI_API_KEY is required and is the declared primary credential; this is proportional because the script authenticates to WeryAI for model queries, generation, and (optionally) file upload. Note that the key grants ability to start paid tasks and to upload local files (if used), so treat it as sensitive and consider using a short-lived or scoped key where possible.
Persistence & Privilege
Skill does not request persistent/always-on presence and does not modify other skills or system-wide configuration. Autonomous invocation is allowed (platform default) but not combined with other unusual privileges.
Assessment
This package appears to do what it says: it calls WeryAI and needs WERYAI_API_KEY and Node 18+. Before installing or running: (1) review scripts/video_gen.js yourself (it is included) to confirm you accept its behavior, especially local-file upload logic; (2) never embed your API key in the package—set it in the environment at runtime; (3) prefer supplying public https image URLs so the script will not read your filesystem; (4) be aware each real run consumes WeryAI credits—test with --dry-run first; (5) if you must allow local-file uploads, get explicit user consent and consider running in an isolated account/container and rotate or use a scoped/short-lived API key to limit exposure.scripts/video_gen.js:675
Environment variable access combined with network send.
scripts/video_gen.js:223
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk972s542893ctsmbpcr07t57as83dgeg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
👗 Clawdis
Binsnode
EnvWERYAI_API_KEY
Primary envWERYAI_API_KEY