ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

WeryAI video tool — face change

v1.0.0

Swap the face in an existing HTTPS video using a reference face image via WeryAI (video-face-change). Use when the user wants face replacement on a video URL...

0· 50·0 current·0 all-time
byparallel world@zoucdr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (video face-swap) match the required pieces: Node runtime, one API key (WERYAI_API_KEY), and a single script that targets a video-face-change endpoint. There are no unrelated credentials, binaries, or config paths requested.
Instruction Scope
SKILL.md and the CLI script limit inputs to public https:// URLs and the script validates that. The README explicitly warns not to run other sibling scripts. The included JS enforces URL checks, uses only the declared env var, and does not read local files or perform arbitrary uploads in the visible portion.
Install Mechanism
No install spec is provided (instruction-only with a shipped script). That is lower risk; the only runtime requirement is Node.js 18+, which is reasonable for a JS CLI. Nothing is downloaded from unknown URLs or written to disk by an installer.
Credentials
Only WERYAI_API_KEY is required and declared as the primary credential; the script reads process.env.WERYAI_API_KEY and no other environment variables are referenced in the visible code. This is proportionate to calling a hosted API.
Persistence & Privilege
The skill is not always-enabled and uses normal invocation. It does not request persistent system-wide privileges, does not modify other skills' configs, and contains no indication it would persist credentials to disk (SKILL.md explicitly warns against writing the API key to files).
Assessment
This package appears coherent for the declared purpose, but because it performs face replacement you should consider privacy and consent risks before using. Only provide public HTTPS URLs for the source video and reference image, keep WERYAI_API_KEY secret and dedicated (do not reuse a broad-privilege key), and confirm you want a paid run before issuing submit/wait. If the skill's source is not from a trusted origin, inspect the full scripts folder for any extra CLI files (the SKILL.md warns some unrelated files may be present) and verify the script only talks to api.weryai.com. Finally, ensure you have permission from people depicted in the video before swapping faces.
scripts/video_face_change.js:147
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk974dy6j9yh1bvdyp70t4ztkf983h4c0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🙂 Clawdis
Binsnode
EnvWERYAI_API_KEY
Primary envWERYAI_API_KEY

Comments