Skillv1.1.0

ClawScan security

Video Generator Auto Post · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 1, 2026, 11:40 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (local video generation + auto-posting) is plausible, but the package and instructions are inconsistent about required credentials, included scripts/assets, and what is actually implemented — proceed only after clarifying and completing missing pieces.
Guidance: Plain-language checklist before installing/using this skill: - Expect to supply social-media API credentials in a .env (Twitter, TikTok, Instagram, LinkedIn, YouTube) even though the registry didn't list them; only install this if you're comfortable providing those keys. - The included auto-post.py only prints stub messages — it does not actually upload to platforms. Do not assume it will post without you implementing or trusting added code that performs uploads. - Several scripts and assets mentioned in SKILL.md are missing from the package (batch-generate.py, generate-video.py, optimize-video.py, many referenced assets). Ask the author for the complete package or treat this as a draft. - SKILL.md is Windows-centric (D: drive, ComfyUI.exe, winget) but registry has no OS restriction. Make sure path recommendations match your OS and that you don’t inadvertently point the tool at system locations you don’t want it to use. - If you plan to use or modify the auto-post script: inspect any code you add for network endpoints and secure handling of credentials; store API keys only in secure locations and use least-privilege tokens where possible. What would increase confidence: a corrected package that (1) declares required env vars in metadata, (2) includes the referenced scripts/assets, and (3) either implements safe, auditable API upload code or clearly documents that posting is a placeholder and how to configure a vetted client library.

Review Dimensions

Purpose & Capability: noteName and description match the included files: it intends to generate videos locally (ComfyUI workflows) and auto-post them. However, the registry metadata claims no required env vars or config paths while the SKILL.md and scripts explicitly reference API credentials (Twitter/TikTok/Instagram/YouTube/LinkedIn) and a .env file. Several scripts and reference files referenced in SKILL.md (batch-generate.py, generate-video.py, optimize-video.py, many assets and references) are mentioned but not present in the package.
Instruction Scope: concernSKILL.md instructs editing ComfyUI settings.json, installing models, and storing outputs on a D: drive (Windows-centric). It tells the user to configure API keys in a .env and to run scripts, but the included auto-post.py only prints placeholders and does not implement network posting. The instructions implicitly direct the user to provide service credentials and to place files in system paths (D:/...) not declared in metadata. The guidance is broader than what the packaged code actually performs.
Install Mechanism: okNo install spec (instruction-only) — lowest install risk. The package contains a small Python script and markdown files; nothing in the manifest attempts to download or execute external code during installation.
Credentials: concernRegistry metadata reports no required environment variables, but SKILL.md and scripts expect API credentials in a .env (e.g., TWITTER_API_KEY, TIKTOK_CLIENT_KEY, INSTAGRAM_TOKEN, LINKEDIN_ACCESS_TOKEN, YOUTUBE_API_KEY). Requiring social-media credentials is reasonable for auto-posting, but the absence of these as declared requirements is an inconsistency that could mislead users about the secrets the skill will need. The script uses dotenv.load_dotenv(), so it will read environment variables, but the specific variables are not programmatically validated or declared.
Persistence & Privilege: okalways is false and disable-model-invocation is not set — normal. The skill does not request persistent system-wide privileges, nor does it modify other skills. There is no install step that writes persistent binaries or alters agent configuration.