Skillv1.0.0

ClawScan security

ClawVideo Generation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:12 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior (calling json2video API using an API key) matches its stated purpose, but the registry metadata omits the required environment variable and there are a few documentation/credential ambiguities that warrant caution before installing.
Guidance: Before installing, note these points: - The code and SKILL.md require a JSON2VIDEO_API_KEY, but the registry metadata does not list it — treat that as a metadata/packaging error. Do not supply high-privilege or reused credentials; use an API key scoped to rendering only, if possible. - The script sends requests to api.json2video.com (expected). If you plan to use Azure or ElevenLabs voices, verify whether you need additional keys for those services — the skill's docs mention them but the code delegates to JSON2Video (which may mediate TTS). - Source and homepage are unknown. If you need higher assurance, request provenance from the publisher or inspect the full script locally; the included Python is short and network calls are explicit (requests.post/get to JSON2Video). - For extra safety, run the script in an isolated environment or container and test with a throwaway API key. Check that logs or console output do not print your API key (the code reads the env var but does not log it). - If you rely on this skill in production, ask the publisher to correct the registry metadata to declare JSON2VIDEO_API_KEY and to document any additional credential needs. If you cannot verify the source, consider not installing or restricting the key's permissions.

Review Dimensions

Purpose & Capability: noteName/description claim to generate Pinterest vertical videos via the JSON2Video API; the included Python script and SKILL.md both build JSON payloads and call https://api.json2video.com/v2 with an API key — this is coherent. However, the registry metadata lists no required environment variables while the instructions and code require JSON2VIDEO_API_KEY, which is an inconsistency.
Instruction Scope: okSKILL.md instructs only to set JSON2VIDEO_API_KEY, run the included script with a JSON config, and use example files. The runtime instructions and code operate on provided config files and the JSON2Video API only; they do not instruct reading unrelated system files or sending data to unexpected endpoints.
Install Mechanism: okThis is an instruction-only skill with a small accompanying Python script; there is no install spec and no downloads from third-party URLs. Risk from install mechanism is low.
Credentials: concernSKILL.md and scripts require the JSON2VIDEO_API_KEY environment variable, but the registry metadata declares no required env vars or primary credential — this mismatch is concerning and could cause users to miss that a secret is needed. The skill references third-party providers (Azure voices, ElevenLabs, Cloudinary, etc.) in docs, but those are optional integrations and the code only requires the JSON2Video API key.
Persistence & Privilege: okThe skill does not request persistent/always-on privileges (always=false), does not modify other skills, and does not write system-wide configs. Autonomous invocation is allowed (default) but not combined with other high-risk requests.