Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
soap-cut-video
v1.0.0生成肥皂/蜡块切割 ASMR 解压短视频。支持文字描述直接出片,或将实物图片转为切割动效。聚焦整齐切片、截面颜色暴露、粉末掉落的瞬间爽感,配合切割 ASMR 声效。
⭐ 0· 65·0 current·0 all-time
byparallel world@zoucdr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (generate soap/wax ASMR videos) align with the included script and runtime instructions: the skill uses a local Node CLI (scripts/video_gen.js) to call the WeryAI video generation API. Requiring Node is coherent. However, the registry metadata lists no required environment variables while both SKILL.md and the script explicitly require a WERYAI_API_KEY — this metadata omission is an incoherence.
Instruction Scope
SKILL.md instructs the agent to run the bundled Node CLI (node scripts/video_gen.js ...) with JSON params or an image URL and then parse stdout for a returned link. The instructions do not ask to read unrelated local files or other credentials. They do, however, require uploading user-provided prompts and public HTTPS image URLs to an external API (WeryAI), which is expected for this functionality but has privacy implications.
Install Mechanism
There is no install spec — the skill is instruction-only but includes a single Node script. No external installers or downloads are performed. Running the skill will execute the included script with the system's node binary; this is low-risk from an install mechanism perspective but depends on trusting the bundled script.
Credentials
The SKILL.md and scripts require WERYAI_API_KEY (and optionally WERYAI_BASE_URL / WERYAI_MODELS_BASE_URL) to contact WeryAI endpoints. That credential is appropriate for a remote video-generation service, but the registry metadata incorrectly declares no required env vars — a mismatch that could lead users to miss that they must provide an API key. There are no other unexpected secrets requested.
Persistence & Privilege
The skill is not always-enabled, does not request elevated system privileges, and does not modify other skills' configurations. It will run the included script and make network requests; autonomous invocation is allowed (platform default) but not combined with other high-privilege flags.
What to consider before installing
This skill generally does what it says: it runs the bundled Node script to call a remote video-generation API and returns a link. Before installing or using it: (1) note that you must supply a WERYAI_API_KEY (the registry metadata omitted this) — don't paste other credentials. (2) Any image URLs or prompt text you send will be transmitted to WeryAI's API (default https://api.weryai.com); avoid uploading private or sensitive images. (3) Inspect scripts/video_gen.js yourself (it's included) to confirm there are no hidden endpoints or unwanted behavior; the script appears to call WeryAI endpoints only. (4) Run in an isolated environment or with a limited API key (if possible) and test with --dry-run first. (5) If provenance of this skill is unknown or you cannot verify the API/service, be cautious — consider contacting the skill author or preferring a skill with a known homepage/source.scripts/video_gen.js:22
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97cce9avr83g0jkmzpvz2634s83dnmv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🧼 Clawdis
Binsnode