ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

think-x-actually-y-video-gen

v1.0.1

Create vertical three-beat debunks: you think X, actually Y, but Z—timed English captions on three segments (WeryAI). Use for mindset ladders, hot-take templ...

0· 110·0 current·0 all-time
byparallel world@zoucdr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description ask for video generation via WeryAI; required binary (node) and required env var (WERYAI_API_KEY) are exactly what a Node-based WeryAI client needs. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md keeps runtime scope focused: it requires explicit pre-submit confirmation of full prompts/parameters and prefers public https image URLs. The packaged script supports reading local image files and uploading them to WeryAI (turning local paths into public URLs). SKILL.md documents and gates this behavior (requests review and explicit user consent before local read-and-upload), so scope creep is acknowledged and controlled — but local-file uploads remain the main area where extra data can leave the system if a user supplies a path without understanding the implications.
Install Mechanism
No external install / download step; script is bundled with the skill and there are no arbitrary remote installers or third‑party package pulls. Risk from installation is low.
Credentials
Only WERYAI_API_KEY is required and is appropriate for the described API interactions (generation, model registry, and upload). The SKILL.md explicitly marks it as secret and warns not to commit it.
Persistence & Privilege
Skill does not request permanent/always-on privileges (always:false). It does not attempt to modify other skills or system-wide configuration. Autonomous invocation is allowed by default but not combined with other concerning privileges here.
Assessment
This bundle appears to be what it says: a Node script that talks to WeryAI and requires a WERYAI_API_KEY. Before you use it: (1) Prefer supplying public https image URLs to avoid the script reading local files. (2) If you do provide local image paths, review scripts/video_gen.js and explicitly confirm the upload — the script will read that file and POST it (with your WERYAI_API_KEY) to api-growth-agent.weryai.com to create a public URL. (3) Use a limited/short-lived API key or an account with minimal credits for testing to limit exposure from accidental paid submissions. (4) Follow the SKILL.md pre-submit gate: do not allow any automated submits without explicit user confirmation of the full expanded prompt and parameters. (5) If you need higher assurance, run the script in an isolated environment, audit network requests, and revoke/regenerate the key after testing.
scripts/video_gen.js:675
Environment variable access combined with network send.
!
scripts/video_gen.js:223
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk976vwtc0y4rfjb4czspgt3g8h83eff1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔀 Clawdis
Binsnode
EnvWERYAI_API_KEY
Primary envWERYAI_API_KEY

Comments