ClawHub
Back to skill
v1.0.10

Chanjing One Click Video Creation

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:12 AM.

Analysis

The skill is coherent for generating videos, but it does use Chanjing credentials, external API/CDN calls, local media tools, and persistent output files.

GuidanceThis appears safe to review as a normal Chanjing video-rendering integration. Before installing, confirm you trust the Chanjing API service, protect ~/.chanjing/credentials.json, install trusted ffmpeg/ffprobe binaries, and check that any sibling Chanjing skill paths point to code you trust.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
manifest.yaml
allowed_commands:
  - python3
  - ffmpeg
  - ffprobe
  - chan-skill
...
subprocess:
  ...
  mayInvokeSiblingSkillScripts: true

The skill is designed to run local media tools and sibling skill scripts; this is central to rendering but means local executables are part of the trust boundary.

User impactThe skill can launch local commands to process media and call related Chanjing helper skills.
RecommendationEnsure ffmpeg/ffprobe and any sibling Chanjing skills come from trusted locations, and avoid pointing SKILLS_DIR or related variables at untrusted directories.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Required binaries (all must exist): none ... Primary credential: none

Registry-level requirement signals understate the package’s own documented dependencies and credential file, which could surprise users during setup even though the package documents them elsewhere.

User impactA user relying only on registry metadata may not realize they need local media tools and Chanjing credentials before running the skill.
RecommendationReview SKILL.md and manifest.yaml before installation, and update registry metadata to declare the required binaries and credential model.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
manifest.yaml
credentials:
  model: credentials_json
  defaultPath: "~/.chanjing/credentials.json"
  ...
  sensitiveFields:
    - app_id
    - secret_key
    - access_token
  persistAccessTokenOnDisk: true

The skill uses Chanjing account credentials and persists an access token locally, which is expected for the API integration but is sensitive account authority.

User impactInstalling and using the skill can let it act through your Chanjing API account and store a reusable token on disk.
RecommendationUse only credentials you are comfortable using for video generation, protect the credentials file permissions, and do not commit credentials.json to source control.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
manifest.yaml
network:
  httpsOutbound: true
  documentedHosts:
    - open-api.chanjing.cc
...
userContent:
  mayDownloadFromApiResponseUrls: true

The workflow sends generation tasks to Chanjing and downloads media from URLs returned by the service, which is expected but moves user-provided content through an external provider.

User impactTopics, scripts, prompts, and generated media task data may be processed by Chanjing services and downloaded from returned media URLs.
RecommendationDo not submit confidential scripts or sensitive personal content unless you trust Chanjing’s handling of that data and the returned media URLs.