Back to skill
Skillv1.0.1
ClawScan security
Revid API Foundations · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 26, 2026, 11:10 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only Revid API reference that consistently requests a single Revid API key and describes only API calls the skill needs; nothing obvious is disproportionate, but the skill's origin is unspecified so verify the key and provenance before enabling it.
- Guidance
- This skill is an instruction-only Revid API reference and appears coherent: it only needs a single REVID_API_KEY and documents how to call /render and poll /status. Before installing, confirm the skill's provenance (no homepage/source listed) and that you trust the owner. Protect the REVID_API_KEY: use a key with minimal scope or a dedicated account, rotate it if possible, and avoid exposing it to untrusted agents. If you expect high-volume or unattended renders, prefer setting webhookUrl (recommended in the doc) to avoid continuous polling, and monitor usage/charges. Finally, if you are uncomfortable with autonomous agent actions, restrict the agent's permissions or require manual invocation for operations that will use your API key.
Review Dimensions
- Purpose & Capability
- okName and description claim to provide foundational Revid API guidance and the SKILL.md only requires a single Revid API key and documents the /render and /status endpoints — these requirements are consistent with the stated purpose.
- Instruction Scope
- okThe instructions describe HTTP calls, the required header (key: $REVID_API_KEY), response handling, polling, webhook usage, and failure modes. They do not ask the agent to read unrelated files or secrets. Note: the polling guidance implies frequent outbound requests (every 5–8s) which may be costly or noisy if run unattended.
- Install Mechanism
- okThere is no install spec and no code files — this is instruction-only, so nothing will be written to disk by an installer.
- Credentials
- okThe only credential/config required is REVID_API_KEY (declared in the skill metadata and used in instructions). That is proportional to a skill that calls Revid's API; no unrelated secrets or multiple credentials are requested.
- Persistence & Privilege
- okalways:false and default autonomous invocation are set. The skill does not request permanent presence or system-wide changes. Autonomous invocation is the platform default and not by itself a concern.