ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

world-as-100-people-video-gen

v1.0.1

Create ‘world as 100 people’ verticals: shrink hook, stat morphs, punchline, timed English captions and motion graphics (WeryAI). Use for infographic TikToks...

0· 84·0 current·0 all-time
byparallel world@zoucdr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim video generation using WeryAI; the package includes a Node.js CLI (scripts/video_gen.js), references WeryAI API hosts, and requires only node + WERYAI_API_KEY — all expected for this purpose.
Instruction Scope
SKILL.md and resources document the normal flows (text→video, image→video, multi-image) and explicitly prefer public https image URLs. The shipped script will read a local image file (if provided) and upload it to api-growth-agent.weryai.com using the WERYAI_API_KEY to obtain a public URL before requesting video generation. That local-file read-and-upload behavior is within scope for image→video but relies on the agent or operator to obtain explicit user consent before allowing local file access — if the agent doesn't honor that, local file exfiltration could occur. SKILL.md does call out this requirement and asks for review/consent.
Install Mechanism
There is no install spec and no external downloads; the skill is instruction-only with a bundled Node script. No network install from untrusted URLs is present. This is low installation risk.
Credentials
Only WERYAI_API_KEY is required and declared as the primary credential. The script reads no other environment variables. Requesting a single API key is proportional for a hosted video-generation service that needs auth.
Persistence & Privilege
The skill is not always-enabled, does not request elevated platform privileges, and does not modify other skills or global configuration. Autonomous invocation is allowed by default (normal for skills) but not combined with other concerning privileges.
Assessment
This package appears to do what it says: generate short videos via WeryAI and, when given local image paths, read the file and upload it to WeryAI's upload endpoint using your WERYAI_API_KEY. Before installing or running it: (1) do not commit your WERYAI_API_KEY to source control; prefer a short‑lived or scoped API key if WeryAI supports that; (2) prefer supplying public https image URLs so no local-file read/upload is necessary; (3) if you must allow local image paths, review scripts/video_gen.js yourself and explicitly consent to local file access — the SKILL.md asks for that, but make sure your agent actually enforces it; (4) verify the API host (api.weryai.com and api-growth-agent.weryai.com) and rotate keys after testing; (5) if you do not want the skill invoked autonomously, disable autonomous invocation in your agent settings or require manual confirmation before runs.
scripts/video_gen.js:675
Environment variable access combined with network send.
!
scripts/video_gen.js:223
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk975bn27mar98zd5jqwjz3pr5583ecse

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

👥 Clawdis
Binsnode
EnvWERYAI_API_KEY
Primary envWERYAI_API_KEY

Comments