Back to skill
Skillv1.0.0
ClawScan security
neodomain-ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 3:32 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill appears to do what it claims (wrap Neodomain API calls) and requests only a service token and python3, but there are a few operational gaps you should be aware of before installing.
- Guidance
- This package appears to be a straightforward client for the Neodomain service, but check the following before installing or running it: - Understand that images/videos and storyboard files you provide may be uploaded to the provider's OSS (wlpaas.oss-cn-shanghai.aliyuncs.com) via temporary STS credentials—do not send sensitive/private images if you don't trust the service. - You will need to provide NEODOMAIN_ACCESS_TOKEN (or run the login flow which asks for your phone/email and verification code). Keep that token secret and avoid committing it to files or shared shells. - The scripts import a third-party Python library (oss2) but the README does not automatically install Python deps—install required packages (e.g., pip install oss2) in a controlled virtualenv before running. - Review network endpoints (story.neodomain.cn and wlpaas.oss-cn-shanghai.aliyuncs.com) to ensure they are acceptable for your data/privacy policies. If you want higher assurance, ask the maintainer for a full dependency list (requirements.txt) and an explicit statement that user data is only uploaded to the Neodomain service for generation purposes.
Review Dimensions
- Purpose & Capability
- okName/description align with the code and SKILL.md: scripts call Neodomain endpoints (story.neodomain.cn) to generate images/videos and perform authentication. Requiring python3 and NEODOMAIN_ACCESS_TOKEN is appropriate for this purpose.
- Instruction Scope
- noteRuntime instructions and scripts stay within the generation workflow, but several scripts (e.g., batch_video.py) upload user files to the provider's OSS (wlpaas.oss-cn-shanghai.aliyuncs.com) via temporary STS credentials. The SKILL.md mentions authentication but does not explicitly warn that user images/storyboards will be uploaded to the provider's OSS; the login flow requires the user to provide a phone/email and verification code (expected for token issuance).
- Install Mechanism
- noteThis is instruction-only (no platform install spec), which reduces install risk. However, some scripts import third-party Python packages (notably oss2 in batch_video.py) but the SKILL.md / INSTALL.md do not declare or automate these Python dependency installs—users will need to pip-install dependencies manually. There are no external archive downloads or short/unknown URLs used for installing code.
- Credentials
- okOnly NEODOMAIN_ACCESS_TOKEN is required and is the primary credential; that is proportional to the stated functionality. The login script collects a contact (phone/email) and verification code from the user to obtain the token, which is consistent with the service's auth flow.
- Persistence & Privilege
- okThe skill is not forced-always or privileged; it doesn't request persistent platform privileges or modify other skills. Autonomous invocation is allowed by default (normal for skills) but not excessive here.