Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
高压水枪冲洗解压视频
v1.0.1Generate vertical satisfying pressure-wash shorts (WeryAI): text-to-video or dirty-surface image to rinse motion and a moving clean/dirty line. Use when you...
⭐ 0· 67·0 current·0 all-time
byparallel world@zoucdr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (pressure‑wash video generation) align with required artifacts: Node.js runtime, a WERYAI_API_KEY, and a bundled CLI script that calls WeryAI APIs. There are no unrelated env vars, binaries, or surprising hostnames; required items are proportionate to the stated purpose.
Instruction Scope
SKILL.md keeps the agent workflow focused on prompt expansion, confirmation, and invoking node scripts/video_gen.js. It explicitly warns about local-image handling and requires review/explicit consent before reading local files. The included script will (if given local paths) read files from disk and POST them to https://api-growth-agent.weryai.com/growthai/v1/generation/upload-file using the WERYAI_API_KEY — behavior that is necessary for image→video flows but is an important data/secret-handling step that the user must authorize.
Install Mechanism
No remote install/downloads or package installers are used; the skill is instruction‑plus-bundled script. No archives, URL shorteners, or external installers are invoked. Risk from install mechanism is low.
Credentials
Only a single credential is requested (WERYAI_API_KEY) and it is the documented primaryEnv. That key is used for model listing, generation, status, and (if needed) uploading local files. The credential request matches the service the skill integrates with.
Persistence & Privilege
Skill is not always:true, is user-invocable, does not request system-wide config or other skills' credentials, and does not modify other skills. No elevated persistence privileges detected.
Scan Findings in Context
[local_file_read_and_upload] expected: The bundled scripts/video_gen.js explicitly reads local image file paths and uploads them to the WeryAI upload endpoint (api-growth-agent.weryai.com) using Authorization: Bearer $WERYAI_API_KEY. This is expected for image→video flows but is a point where local files and the API key are used to create externally accessible URLs.
[http_api_calls_with_bearer_token] expected: The script makes HTTP(S) requests (fetch) to fixed hosts (api.weryai.com and api-growth-agent.weryai.com) and sends the WERYAI_API_KEY as Bearer token; this is required and consistent with the documented API usage.
[formdata_file_upload] expected: The code constructs a multipart/form-data upload (FormData + Blob) to exchange a local file for a public https URL. This is an explicit feature (not obfuscated).
Assessment
This package looks like a straightforward WeryAI video generator and requests only the WERYAI_API_KEY, which is expected. However, the included script will, if you pass it local file paths, read those files and upload them to WeryAI using your API key (producing a public https URL). Before installing or supplying your API key: (1) review scripts/video_gen.js yourself (or have someone you trust review it) to confirm it matches your expectations; (2) do not provide local file paths unless you explicitly consent and are sure you want those files uploaded; prefer public https image URLs; (3) run the skill in a short‑lived or isolated environment (container or separate account) if you're testing; (4) monitor your WeryAI account for unexpected usage and be prepared to rotate the API key if anything looks suspicious. If you need higher assurance, request the skill author to sign or explain the script's upload/authorization flow in detail or remove local-path upload capability.scripts/video_gen.js:675
Environment variable access combined with network send.
scripts/video_gen.js:223
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk970kbgnvcbwgk0k1y095sse4s83fc20
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
💦 Clawdis
Binsnode
EnvWERYAI_API_KEY
Primary envWERYAI_API_KEY