ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

scarcest-not-money-video-gen

v1.0.0

Create vertical scarcity-mystery shorts: not money, option teases, final reveal, timed English captions (WeryAI). Use for guess-the-answer hooks or motivatio...

0· 69·0 current·0 all-time
byparallel world@zoucdr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binary (node), the single required env var (WERYAI_API_KEY), and the included scripts/docs all align with a text/image→video generator that calls WeryAI. There are no unrelated credentials or surprising binaries requested.
Instruction Scope
SKILL.md stays on-task (compose prompts, confirm reveal, call node scripts/video_gen.js). It explicitly documents that the bundled script may read local image files and upload them to WeryAI (and requires explicit consent before doing so). This file-level I/O and upload behavior is within the declared purpose, but it's a sensitive action the user must opt into and verify.
Install Mechanism
No external install/downloads; the package is instruction + a local Node script. There is no network-based installer or third-party binary pulled at run/install time beyond the expected API calls performed at runtime.
Credentials
Only a single credential (WERYAI_API_KEY) is required and is appropriate for a hosted video-generation integration. However, that API key is used for generation, model registry queries, and (if you provide local paths) file uploads — all of which may consume account credits and expose uploaded content to WeryAI. Use a key with least privilege or a short‑lived/test key for evaluation.
Persistence & Privilege
Skill is not always-enabled and does not request persistent system-wide privileges. It does read local files only when given local image paths (and only the bundled script performs that), and it does not modify other skills or global agent configs.
Assessment
This skill is coherent for creating short 'scarcity' videos using WeryAI. Before installing or running it: (1) Confirm you want to provide WERYAI_API_KEY — this key will be used for model queries, generation, and (if you pass local file paths) uploads that may consume credits. Prefer providing public https:// image URLs instead of local file paths. (2) If you plan to use local images, review scripts/video_gen.js yourself and explicitly consent before allowing the agent to read and upload files. (3) Use a limited-scope or test API key in development, and monitor billing/usage on the WeryAI account. (4) Ensure Node 18+ runtime is available. If you want extra assurance, run the script in an isolated environment or with a throwaway API key while testing.
scripts/video_gen.js:675
Environment variable access combined with network send.
!
scripts/video_gen.js:223
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk976ee385xhs1xj98fv3tp3wkn83dfb3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💎 Clawdis
Binsnode
EnvWERYAI_API_KEY
Primary envWERYAI_API_KEY

Comments