Multishot UGC

Generate 10 perspective/angle variations from a single image for multi-shot UGC videos. ✅ USE WHEN: - Have a hero image and need camera angle variations - Creating multi-scene UGC videos (need different shots) - Want close-ups, wide shots, side angles from one source - Building a video with scene changes ❌ DON'T USE WHEN: - Don't have a hero image yet → use morpheus-fashion-design first - Need completely different scenes/locations → use Morpheus multiple times - Just need one image → skip this step - Want to edit images manually → use nano-banana-pro INPUT: Single image (person with product) OUTPUT: 10 PNG variations with different perspectives TYPICAL PIPELINE: Morpheus → multishot-ugc → select best 4 → veed-ugc each → Remotion edit

Before installing or running this skill: - Expect to provide a COMFY_DEPLOY_API_KEY environment variable (the script will fail without it). The registry metadata failing to list this is an inconsistency you should ask the publisher to fix. - Understand that local images will be uploaded to https://api.comfydeploy.com and outputs downloaded back; do not upload sensitive or private images unless you trust ComfyDeploy and have reviewed their terms/privacy. - Verify the deployment_id and the ComfyDeploy domain independently (publisher/source is unknown and no homepage is provided). If you don't recognize the provider, request provenance or use an alternative with known trust. - Limit the API key scope if possible, store it securely, and rotate/revoke it if exposed. - If you need stronger assurance, ask the skill author to (a) declare COMFY_DEPLOY_API_KEY in the registry metadata, (b) provide a homepage or source provenance, and (c) explain data retention/processing on ComfyDeploy for uploaded images.

Type: OpenClaw Skill Name: multishot-ugc Version: 1.0.1 The `scripts/generate.py` file contains a critical vulnerability that allows arbitrary local file upload and potential data exfiltration. The `--image` argument, intended for an image path, is read and uploaded to `api.comfydeploy.com` without validation of its content or type. An attacker could specify a path to any sensitive file (e.g., `/etc/passwd`, `~/.ssh/id_rsa`), leading to its exfiltration. Additionally, the `download_images` function is vulnerable to path traversal if the `filename` returned by the external API is malicious (e.g., `../../malicious.sh`), potentially allowing arbitrary file writes. These are significant vulnerabilities, but without clear evidence of intentional malicious design by the skill developer, it is classified as suspicious rather than malicious.