Skillv1.0.2

ClawScan security

Product Description to Ad · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 26, 2026, 11:10 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and instructions match its stated purpose (generating short ads via Revid's render API); it only needs a Revid API key and makes network calls to revid.ai — no other unexplained privileges or installs were found.
Guidance: This skill appears to do what it says: it builds a JSON payload and posts your product description to Revid's public API to render an ad, using a single REVID_API_KEY. Before installing or running it: (1) Be prepared to provide your Revid API key — the key is transmitted in an HTTP header to https://www.revid.ai and should be treated as a secret. (2) The bundled example script uses curl and jq even though the registry metadata lists no required binaries; ensure those tools are present or run equivalent HTTP calls. (3) Only send product text you are comfortable sharing with Revid (no private secrets). (4) Confirm any billing/credit usage with Revid (rendering video may consume paid credits). (5) If you need the skill to be prevented from autonomous use, disable model invocation or avoid granting it automatic invocation in your agent settings. Overall the skill is coherent and proportionate, but verify the API key scope and trustworthiness of revid.ai before supplying credentials.

Review Dimensions

Purpose & Capability: noteThe skill claims to convert product descriptions into short ads and its SKILL.md and examples call Revid's /render and /status endpoints using a REVID_API_KEY. That is coherent. Minor inconsistency: the registry metadata lists no required binaries, yet the provided example script uses curl and jq; also the skill metadata declares REVID_API_KEY as a config path while the example uses it as an environment variable.
Instruction Scope: okRuntime instructions are narrowly scoped: validate prompt length, build the JSON payload, POST /render, poll /status, and return the video URL. The instructions do not ask the agent to read unrelated system files, other credentials, or transmit data to endpoints other than revid.ai (the behaviour is appropriate for the described purpose).
Install Mechanism: okThere is no install specification (instruction-only), so nothing is written to disk or downloaded by an installer. This is lower risk. The included example shell script will perform network calls when run but there is no packaged installer or external archive download.
Credentials: noteThe skill only requires a single service credential (REVID_API_KEY), which is appropriate for calling Revid's API. Note: the SKILL metadata lists REVID_API_KEY under config, while the example script expects it as an environment variable; the API key is sent in an HTTP header to revid.ai — so treat it as a sensitive secret. No other unrelated credentials are requested.
Persistence & Privilege: okalways is false and the skill does not request persistent presence or modify other skills or system-wide settings. The skill does permit autonomous invocation by default (disable-model-invocation: false), which is normal for user-invocable skills and not by itself a problem.