WaveSpeedAI Wan 2.6 Video Generation
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent instruction-only WaveSpeed video-generation skill; the main things to notice are the WaveSpeed API key and uploading user media to an external service.
Before installing or using it, make sure you are comfortable sending prompts and selected media to WaveSpeed, use a dedicated API key, and avoid uploading sensitive personal files unless that is intended.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill needs to manage a WaveSpeed API key, which may authorize paid or quota-limited generation requests.
The skill uses a WaveSpeed API credential. This is expected for a WaveSpeed integration, but it gives access to the user's provider account and possible quota or billing.
export WAVESPEED_API_KEY="your-api-key"
Use a dedicated, revocable WaveSpeed key, store it securely, and avoid placing real keys directly in shared prompts or code snippets.
Personal images, audio, and prompts may be processed by the external WaveSpeed service if the user chooses those inputs.
The skill documents uploading local media to WaveSpeed for image-to-video generation. This is purpose-aligned, but it means selected local files leave the user's environment.
const imageUrl = await wavespeed.upload("/path/to/photo.png");Upload only files you intend to share with WaveSpeed, avoid sensitive or non-consensual media, and review the provider's retention and privacy terms.