ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

食物糖壳/爆浆切开视频

v1.0.0

Generate vertical satisfying sugar-shell crack & pour shorts (WeryAI): text-to-video or dessert image to shell shatter and flowing center motion—first-three-...

0· 53·0 current·0 all-time
byparallel world@zoucdr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binary (node), single required env var (WERYAI_API_KEY), included CLI script, and resource documentation all align with a WeryAI text/image→video generator.
Instruction Scope
SKILL.md requires prompt expansion and explicit user confirmation before submission and documents the CLI usage. It also warns about local-file handling and asks for explicit consent before reading/uploading local images — this is appropriate, but remains a user-facing risk: the script will read local files and upload them if given local paths, so agents must follow the SKILL.md requirement to ask for consent and prefer public https URLs.
Install Mechanism
No install spec; this is an instruction-only skill with a bundled Node script. There are no external downloads or installers; risk from installation is low. The script has no obfuscated loaders or unexpected remote fetches outside documented WeryAI endpoints.
Credentials
Only WERYAI_API_KEY is required and is justified: the script uses that key for model, generation, status, and for uploading local images. No unrelated credentials or extra env vars are requested.
Persistence & Privilege
Skill is not always-on, does not request elevated platform privileges, and does not modify other skills' configuration. Autonomous invocation is permitted by default but is not combined with other broad privileges here.
Assessment
This skill appears to do what it says: it runs the included Node script and calls WeryAI using the WERYAI_API_KEY. Before installing/providing the API key: (1) review scripts/video_gen.js yourself (it will read local image files and upload them if you pass local paths); prefer supplying public https image URLs; (2) do not commit WERYAI_API_KEY into source control; (3) be aware each real run consumes WeryAI credits; (4) ensure the agent follows the SKILL.md instruction to expand prompts and explicitly ask you before using any local files; and (5) if you want extra isolation, run generation in a short-lived container or separate account. If you need me to, I can scan the full video_gen.js for specific code paths you care about or summarize exactly when and how it reads/uploads local files.
scripts/video_gen.js:675
Environment variable access combined with network send.
!
scripts/video_gen.js:223
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk973k4bfm6cahx365s2bkczsts83f414

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🍬 Clawdis
Binsnode
EnvWERYAI_API_KEY
Primary envWERYAI_API_KEY

Comments