ClawHub
Back to skill
v1.0.0

AI Notes of Video

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:21 AM.

Analysis

This skill appears to do what it claims—send a user-provided video URL to Baidu to generate notes—but users should notice that it uses a Baidu API key and an external Baidu service.

GuidanceThis looks safe for its stated purpose if you intend to use Baidu's video-note service. Before installing, set BAIDU_API_KEY only in an environment you trust, use a limited key if available, monitor quota or billing, and submit only video URLs you are comfortable sharing with Baidu.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Required binaries (all must exist): none ... Required env vars: none ... Primary credential: none

The registry metadata omits requirements that are present in SKILL.md and the scripts, namely Python execution and BAIDU_API_KEY. This is a transparency/setup issue rather than evidence of malicious behavior.

User impactInstall-time or registry views may not clearly show that the skill needs a Baidu API key and Python-based helper scripts.
RecommendationReview SKILL.md before use and ensure the registry metadata is corrected to declare Python and BAIDU_API_KEY.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/ai_notes_task_create.py
api_key = os.getenv("BAIDU_API_KEY") ... "Authorization": "Bearer %s" % api_key

The script reads a local Baidu API key and sends it as a bearer token to Baidu. This is expected for the service integration, but it is still credential-backed account access.

User impactUsing the skill may consume Baidu API quota or operate under the permissions of the configured Baidu API key.
RecommendationUse a scoped Baidu API key if possible, avoid sharing the key, and monitor API usage or billing.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
scripts/ai_notes_task_create.py
url = "https://qianfan.baidubce.com/v2/tools/ai_note/task_create" ... params = { "url": video_url } ... requests.post(url, headers=headers, json=params)

The user-provided video URL is transmitted to Baidu's external API for processing, which matches the stated purpose but creates a third-party data flow.

User impactPrivate or pre-signed video links submitted to the skill may become accessible to Baidu's service for note generation.
RecommendationOnly submit video URLs that you are comfortable sending to Baidu, and avoid sensitive or non-shareable links unless that is intended.