Back to skill
Skillv1.0.0
ClawScan security
Tweet to Talking-Head · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 26, 2026, 3:14 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions match its stated purpose (it uses the Revid API to render talking‑head videos and only needs a Revid API key); nothing in the bundle is disproportionate or inconsistent.
- Guidance
- This skill is coherent but you should still consider: (1) it sends post content and an avatar image URL — and your REVID_API_KEY — to revid.ai, so confirm you trust Revid and are okay with their data retention and usage policies; (2) prefer pasting thread text (SKILL.md recommends this) to avoid relying on scraping external URLs, which may touch third‑party sites and could violate that site's terms; (3) ensure avatar image URLs point to public assets you own or are allowed to use; (4) treat the REVID_API_KEY like a secret: store it in a secure credential store, rotate it if compromised, and monitor API usage/logs; (5) review Revid's pricing and quotas before bulk use. Overall the skill appears to do what it claims, with no disproportionate permissions or hidden endpoints.
Review Dimensions
- Purpose & Capability
- okName/description describe converting a post/thread into a talking‑head video; the SKILL.md and example script call https://www.revid.ai and require REVID_API_KEY — this is appropriate and expected for a Revid integration.
- Instruction Scope
- noteRuntime instructions are focused on forming JSON payloads and calling Revid's /render and /status endpoints. The SKILL.md includes a URL-based fallback that instructs the API to 'scrape' a post via a scrapingPrompt — that will cause remote retrieval of the provided post URL (expected for the stated fallback, but a privacy/ToS consideration). The example script only reads a user-supplied text file and sends content + avatar URL to revid.ai; it does not access other system files or hidden credentials.
- Install Mechanism
- okNo install spec; this is instruction-only with an example shell script. The script uses standard tools (curl, jq) and does not download or install third‑party code. Lowest-risk install behavior.
- Credentials
- okOnly one credential/config is required: REVID_API_KEY. The example script uses that key as an HTTP header when contacting revid.ai — this is proportionate to the skill's function and is declared in SKILL.md metadata.
- Persistence & Privilege
- okalways is false and the skill is user‑invocable; model invocation is allowed (the platform default). The skill does not request persistent system presence or modify other skills' configuration.