Skillv1.0.0

ClawScan security

WaveSpeedAI Wan 2.6 Video Generation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 2, 2026, 3:26 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match a video-generation purpose, but the manifest omits the API key it expects and the runtime guidance could cause the agent to access local files and upload them; the skill's origin is unknown so these inconsistencies warrant caution.
Guidance: This skill appears to do what its description says (video generation via WaveSpeed AI), but there are two issues to consider before installing: - Manifest mismatch: The SKILL.md expects a WAVESPEED_API_KEY, yet the registry metadata lists no required environment variables or primary credential. Ask the publisher to update the manifest so you know what secrets are needed. - Local-file uploads: Examples show uploading local files (e.g., wavespeed.upload('/path/to/photo.png')). If you let the agent run autonomously, it could read and upload local files you point it to. Avoid giving it access to sensitive files and only upload content you are comfortable sharing with the external service. - Origin unknown: There's no homepage and the source is unknown. Prefer skills from known authors or that include a homepage/repo so you can verify endpoints and client libraries. - Operational advice: If you proceed, use a scoped API key with minimal privileges, avoid using secrets used elsewhere, and review any files you plan to upload. Request the author to (1) add WAVESPEED_API_KEY to the declared required env vars, (2) provide a homepage/repo link, and (3) clarify any data-retention or privacy policies for uploaded media.

Review Dimensions

Purpose & Capability: noteThe SKILL.md clearly documents WaveSpeed AI / Alibaba Wan-2.6 text-to-video and image-to-video usage and parameters, which is consistent with the name/description. However the registry metadata lists no required credentials while the runtime docs instruct users to set WAVESPEED_API_KEY; the skill source/homepage is unknown. This metadata/instruction mismatch is an inconsistency.
Instruction Scope: concernRuntime instructions tell the agent to use wavespeed.run and wavespeed.upload and show examples using local file paths (e.g. wavespeed.upload('/path/to/photo.png')). That implies the agent may be expected to read local files and upload them. The instructions otherwise call out only the intended external endpoint (wavespeed.ai), but use of local file reads/uploads increases the sensitivity of actions the agent might take.
Install Mechanism: okNo install spec and no code files — instruction-only — so nothing is written or installed on disk by the skill itself. This lowers technical installation risk.
Credentials: concernThe SKILL.md explicitly shows exporting WAVESPEED_API_KEY, but the skill manifest declares no required environment variables or primary credential. Requesting a single API key is reasonable for a hosted generation service, but the omission in the manifest is an incoherence that should be corrected. No other credentials are requested.
Persistence & Privilege: okThe skill is not marked always:true, does not include install behavior, and does not request persistent system-level privileges. It does not attempt to modify other skills or global agent configuration in the provided instructions.