Back to skill
Skillv1.0.0
ClawScan security
PDF to Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 26, 2026, 3:15 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions align with its stated purpose (calling Revid's API to convert a public PDF URL into a short summary video); nothing in the bundle is disproportionate or unrelated to that goal.
- Guidance
- This skill sends PDFs (or a public URL) and requests that Revid process them; you must provide REVID_API_KEY. If your PDF is private or contains sensitive information, note the SKILL.md explicitly instructs re-hosting it on public storage so Revid can fetch it — that can expose content. Before installing: 1) confirm you trust https://www.revid.ai and review its privacy/retention policies; 2) avoid using production/confidential PDFs unless you control the storage and access; 3) use a scoped or disposable API key if possible and rotate keys after testing; 4) test with non-sensitive documents first to confirm costs and behavior; 5) if you do not want autonomous calls, restrict or disable autonomous invocation at the agent/platform level. Overall the skill is coherent with its purpose, but treat private content and API keys cautiously.
Review Dimensions
- Purpose & Capability
- okName/description match the behavior: the SKILL.md and examples call Revid's public API (www.revid.ai) and require a REVID_API_KEY. No unrelated credentials, binaries, or surprising capabilities are requested.
- Instruction Scope
- noteInstructions stay focused on extracting PDF text and calling Revid's article-to-video workflow. One important operational note: local PDFs must be uploaded to public storage (S3, Supabase, etc.) so Revid can fetch them — this is a privacy/availability requirement, not hidden malicious behavior. The example scripts only POST to revid.ai and poll status; they do not read or send unrelated files or secrets.
- Install Mechanism
- okNo install spec (instruction-only) and included example scripts are small shell/json files. Nothing is downloaded from arbitrary URLs or written to disk beyond the provided examples.
- Credentials
- okOnly REVID_API_KEY is required (declared in SKILL.md metadata and used by examples). That single credential is proportionate to a service that requires API authentication; no other secrets are requested.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills, and is user-invocable. Default autonomous invocation is enabled (platform default) but not combined with other concerning flags.