ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

空间改造焕新视频

v1.0.1

Generate vertical home makeover shorts (WeryAI): rental cream aesthetic, balcony café corner, themed kids’ rooms, strong before/after. Use when you need room...

0· 62·0 current·0 all-time
byparallel world@zoucdr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included artifacts: a Node.js CLI (scripts/video_gen.js), a WeryAI API doc, and SKILL.md. Required binary (node) and required env var (WERYAI_API_KEY) are appropriate and expected for a script that calls WeryAI.
Instruction Scope
SKILL.md constrains behavior (mandatory prompt expansion, confirmation before submit) and explicitly warns about local-image uploads. The bundled script will read local image files and POST them to WeryAI to obtain public URLs if callers pass local paths—this is documented, but it means the agent or user must explicitly consent before supplying local paths. The instructions otherwise do not attempt to read unrelated files or environment variables.
Install Mechanism
No install spec (instruction-only plus one included JS file). No third-party downloads or installers; the CLI is pure Node.js source bundled with the package, so nothing external is fetched at install time.
Credentials
Only WERYAI_API_KEY is required and declared as primaryEnv. That single credential is proportional to the skill's needs (API calls and optional local-file upload use the same key). Note: any use will consume WeryAI credits and the key has network access to the vendor endpoints.
Persistence & Privilege
Skill is not always-enabled (always:false) and uses normal agent invocation. It does not request modifications to other skills or system-wide settings.
Assessment
This package appears coherent for generating WeryAI videos, but take these precautions before enabling it: 1) Do NOT paste your WERYAI_API_KEY into the code or public repos—set it in the environment only. 2) Review scripts/video_gen.js yourself: it will upload local image files (if you pass local paths) to WeryAI using your API key—avoid giving local paths unless you explicitly consent and understand the upload. 3) Prefer public https image URLs to avoid uploads. 4) Test with --dry-run where possible and run first in an isolated account or container to limit billing/credential exposure. 5) Monitor usage/credits and ensure prompt-confirmation flows are followed so the agent doesn't submit unintended jobs.
scripts/video_gen.js:675
Environment variable access combined with network send.
!
scripts/video_gen.js:223
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk975tw4cx2ezmf0v8a7y903vq183e1qk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏠 Clawdis
Binsnode
EnvWERYAI_API_KEY
Primary envWERYAI_API_KEY

Comments