Skillv1.0.0

ClawScan security

WaveSpeedAI Veo 3.1 Fast Video Generation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 3, 2026, 7:35 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match its stated purpose (text/image/video generation) but they require an API key (WAVESPEED_API_KEY) and upload local files while the registry metadata declares no required credentials or homepage/source — this mismatch is unexplained and worth caution.
Guidance: This skill appears to do what it says (call WaveSpeed's Veo model to generate/extend videos), but the SKILL.md asks you to set WAVESPEED_API_KEY while the registry metadata does not declare that credential — that's a transparency gap. Before installing or using it: (1) verify the skill's source and homepage (wavespeed.ai looks referenced but the skill metadata lacks a homepage); (2) confirm the exact scope and permissions of the WAVESPEED_API_KEY you will provide (use least privilege and a revocable/test key if possible); (3) avoid uploading sensitive local files unless you trust wavespeed.ai's privacy/retention policy; (4) ask the publisher to update metadata to declare required env vars and provide a homepage or source repository so you can verify authenticity. These steps will reduce risk; the current mismatch is suspicious but not proof of malicious intent.

Review Dimensions

Purpose & Capability: noteThe name and description (WaveSpeedAI Veo 3.1 Fast video generation) align with the SKILL.md examples and API calls to wavespeed.run; the functionality described (text-to-video, image-to-video, extensions) is coherent with the code snippets. However, the registry metadata lists no required environment variables or primary credential while the SKILL.md explicitly instructs setting WAVESPEED_API_KEY — that discrepancy is unexpected.
Instruction Scope: noteRuntime instructions are narrowly scoped to calling the WaveSpeed API (wavespeed.run / wavespeed.upload) for generation and extension. They do instruct the agent or developer to upload local files (e.g., wavespeed.upload('/path/to/photo.png')) and to provide an API key; reading and uploading local media is necessary for image-to-video but is an action that needs explicit user consent. The SKILL.md does not instruct the agent to read unrelated system files or credentials, nor does it request broad system access.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files — lowest install risk. Nothing on-disk will be added by an installer according to the provided metadata.
Credentials: concernSKILL.md requires an API key (WAVESPEED_API_KEY) for authentication to wavespeed.ai, but the registry metadata lists no required env vars or primary credential. Requiring a service API key is reasonable for this functionality, but failing to declare it in metadata is an inconsistency that reduces transparency and prevents the platform from surfacing the credential requirement to the user securely.
Persistence & Privilege: okalways is false and there are no config paths or system modifications requested. The skill does not request elevated/always-on privileges and appears not to modify other skills or system-wide settings.