Skillv1.0.2

ClawScan security

AIML Generate images and videos · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 26, 2026, 4:06 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and required environment variables are consistent with its stated purpose of generating images and videos via an AIMLAPI service.
Guidance: This skill appears to do what it says: it requires AIMLAPI_API_KEY and will POST prompts to api.aimlapi.com and download returned media URLs. Before installing, verify the AIMLAPI service and that you trust the skill source (homepage unknown). Protect the API key (use a scoped key if possible, and secure any --apikey-file). Be aware that downloaded media URLs come from the remote API — validate or sandbox usage if you worry about malicious payloads or unexpected content. Finally, avoid including sensitive data in prompts sent to the remote API.

Purpose & Capability: okName/description, declared env var (AIMLAPI_API_KEY), example endpoints (/v1 images, /v2 video), and included scripts all align with a media-generation helper for AIMLAPI.
Instruction Scope: okSKILL.md only instructs exporting AIMLAPI_API_KEY and running the provided scripts. The scripts perform expected actions: build payloads, POST to AIMLAPI, poll the async video endpoint, and download returned media. They do not read unrelated system files or request unrelated credentials.
Install Mechanism: okNo install spec (instruction-only) and bundled scripts only; nothing is downloaded during install and no external installers or archive extraction are used.
Credentials: okOnly AIMLAPI_API_KEY is required (with optional --apikey-file). That matches the skill's purpose. No unrelated secrets or config paths are requested.
Persistence & Privilege: okSkill is not always-enabled, does not request elevated/system-wide persistence, and does not modify other skills or agent configs.