ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

铁锈老物件翻新修复视频

v1.0.2

Generate vertical satisfying rust restoration shorts (WeryAI): text-to-video or rusty-object image to grind and polish motion. Use when you need rust restora...

0· 64·0 current·0 all-time
byparallel world@zoucdr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (rust restoration video generation) match what is required: Node.js and a WERYAI_API_KEY. The bundled CLI script and API docs target WeryAI endpoints and model registry, which is appropriate for the described capability.
Instruction Scope
SKILL.md gives detailed, confined runtime instructions (prompt expansion, confirmation before submit, model constraints). It explicitly calls out the risk of local-image handling and instructs obtaining explicit consent before reading/uploading local files. This is appropriate, but be aware the bundled script will read local file paths and upload them if invoked with a local path, so the agent must enforce the consent step in practice.
Install Mechanism
No install spec is provided (instruction-only packaging with a bundled script). That is low-risk: nothing is fetched or executed during install. The script is bundled with the skill (no external downloads), so no unexpected network install behavior is present.
Credentials
Only WERYAI_API_KEY is required (declared as primaryEnv) plus Node.js. That key is necessary for model listing, generation, and (optionally) upload endpoints; the request is proportionate to the skill's function. No other credentials or unrelated env vars are requested.
Persistence & Privilege
The skill is not forced-always (always: false) and does not request system-wide persistence or other skills' configs. It can be invoked autonomously (platform default), which is expected for an agent skill. No elevated privileges are requested.
Assessment
This skill appears coherent with its stated purpose, but follow these precautions before enabling it: (1) Review the bundled scripts/video_gen.js yourself (or ask for a review) because it can read local image files and will upload them to WeryAI if given a local path. Only allow local-file usage after explicit user consent. (2) Only provide your WERYAI_API_KEY if you trust the skill and the destination service; treat the key as a secret. (3) Prefer supplying public https image URLs to avoid uploading local files. (4) Be aware each real run consumes WeryAI credits—test with dry-run where available and consider running in an isolated environment or separate account for higher assurance.
scripts/video_gen.js:675
Environment variable access combined with network send.
!
scripts/video_gen.js:223
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97423q7yzt4femx6rvrymc8g183f0ze

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛠️ Clawdis
Binsnode
EnvWERYAI_API_KEY
Primary envWERYAI_API_KEY

Comments