ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

WeryAI video tool — lips change

v1.0.0

Lip-sync an existing HTTPS video to a separate audio URL via WeryAI (video-lips-change). Use when the user wants lip sync to new audio, not text-to-video.

0· 71·0 current·0 all-time
byparallel world@zoucdr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, required binary (node), and required env (WERYAI_API_KEY) are consistent with a small CLI that calls the WeryAI video-lips-change endpoint.
Instruction Scope
SKILL.md explicitly limits the skill to using public https:// video/audio URLs and a single API key; the included JS implements HTTP calls to api.weryai.com and reads process.env.WERYAI_API_KEY. I could not verify the very end of the script (truncated in the provided content), so the assessment assumes no additional hidden behaviors elsewhere in the file.
Install Mechanism
No install spec is provided (instruction-only with a shipped script). No downloads or extracted archives are requested by the skill metadata.
Credentials
Only WERYAI_API_KEY is required and is the stated primary credential; no unrelated credentials or config paths are requested.
Persistence & Privilege
always is false, the skill is user-invocable and may be invoked autonomously (platform default). The skill does not request permanent presence or system-wide config changes.
Assessment
This package appears coherent, but review the full scripts before running. Specifically: (1) inspect the complete scripts/video_lips_change.js file to confirm there are no hidden network endpoints, local-file uploads, or extra env var reads beyond WERYAI_API_KEY; (2) do not store your WERYAI_API_KEY in files—use ephemeral environment only; (3) verify the API key’s permissions and billing implications (SKILL.md notes runs may be paid); (4) only pass public https:// URLs and avoid sending private/sensitive video/audio to third‑party services unless you understand the privacy implications; (5) prefer a dry-run first and require explicit user confirmation before any submit/wait operation that initiates a paid run. If you want higher assurance, provide the full untruncated script content for a deeper review.
scripts/video_lips_change.js:147
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk978tmbh3rsgd3tke8mejvgxrh83hjj8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎤 Clawdis
Binsnode
EnvWERYAI_API_KEY
Primary envWERYAI_API_KEY

Comments