Back to skill
Skillv1.0.0
ClawScan security
Shellbot Product Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 4, 2026, 4:04 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it provides Remotion + React templates and instructions to produce AIDA product videos and does not request unrelated credentials or hidden installs.
- Guidance
- This skill is coherent for producing Remotion AIDA videos. Before using: 1) Review the included shell/python scripts (bootstrap_template.sh, package_skill.sh, publish_clawhub.sh, brief_to_aida_plan.py) to confirm they do only what you expect. 2) When you run npm install in the generated project, it will fetch common packages (react, remotion) — run in a sandbox or build environment if you prefer. 3) If you want to use Freepik/ElevenLabs/Kling asset generation, you'll need to supply those API keys separately and confirm the endpoints/credentials are handled securely; the skill does not declare or store them. 4) If you plan to publish with the provided publish script, check it for network calls and verify it requires the ClawHub CLI and login credentials you control.
Review Dimensions
- Purpose & Capability
- okThe name/description align with the provided files: Remotion/React templates, example plans, and playbooks for building AIDA product videos. No unrelated credentials, binaries, or install steps are requested.
- Instruction Scope
- noteSKILL.md instructs running bundled scripts (bootstrap_template.sh, brief_to_aida_plan.py, npm install, remotion render) and using external asset generators (Freepik/Kling/ElevenLabs) for ancillary assets. This is within the stated scope, but running included shell/python scripts has side effects — inspect them before executing.
- Install Mechanism
- okThere is no automated install spec; the skill is instruction-first and bundles project templates and scripts. The workflow expects running npm install in the bootstrapped project (normal for JS templates). No remote archive downloads or obscure URLs are used by the skill itself.
- Credentials
- okrequires.env lists nothing and primary credential is none. The SKILL.md references external services (Freepik, ElevenLabs) but does not request or attempt to capture credentials — using those services would require you to supply API keys separately.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system-wide privileges or modify other skills. Autonomous invocation is allowed (platform default) but not a special privilege here.