Back to skill
Skillv0.1.0
ClawScan security
Ai Video Skills · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 20, 2026, 9:29 AM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its stated video-generation purpose, but the package metadata omits the required SKILLS_VIDEO_API_KEY environment variable (and related credential declaration), which is an important coherence/privilege omission the user should understand before installing.
- Guidance
- This package contains Python helper scripts that will call open.skills.video endpoints and require an API key provided as SKILLS_VIDEO_API_KEY. Before installing or giving the agent this skill: (1) understand that the skill will make network calls to https://open.skills.video and will use whatever API key you set; (2) do not provide unrelated credentials — only a dedicated skills.video API key is needed; (3) prefer a least-privilege API key (scoped/limited if the platform supports it) and avoid exposing high-privilege or multi-service keys; (4) inspect the bundled scripts yourself (they are plain Python) if you have security concerns; and (5) ask the skill author/registry maintainer to update the metadata to declare SKILLS_VIDEO_API_KEY as a required credential so the requirement is visible in the registry.
Review Dimensions
- Purpose & Capability
- noteThe name/description (building and executing skills.video generation calls) aligns with the included scripts and references (create SSE requests, poll results, inspect OpenAPI). Network targets are limited to the documented platform (open.skills.video). However, the registry metadata lists no required credentials while the runtime clearly depends on SKILLS_VIDEO_API_KEY — a mismatch between claimed requirements and actual needs.
- Instruction Scope
- okSKILL.md and the scripts keep to the stated scope: inspecting OpenAPI files, building payloads, POSTing to SSE endpoints, and falling back to polling. Instructions do not request unrelated system files or arbitrary external endpoints beyond skills.video. They do instruct running the included Python scripts and reading user-supplied OpenAPI/docs files.
- Install Mechanism
- okNo install spec (instruction-only/embedded scripts) — low installation risk. All behavior is in plain Python scripts bundled with the skill (no downloads or archive extraction).
- Credentials
- concernThe runtime expects and reads SKILLS_VIDEO_API_KEY (scripts and examples use it for Authorization), but the skill metadata declares no required env vars or primary credential. Requesting that API key is proportionate to the skill's purpose, but the omission in metadata is a coherence/visibility problem: users may not realize they must provide a bearer key or how it will be used.
- Persistence & Privilege
- okalways:false and no filesystem/config paths requested. The skill does not appear to modify other skills or system-wide settings. It runs subprocesses only to invoke helper scripts and performs network I/O to the expected service.