Skillv1.1.1

ClawScan security

HeyGen AI Avatar Video (Lite) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 7, 2026, 11:10 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions call for an HEYGEN_API_KEY and rely on command-line tools, but the manifest declares no required credentials or binaries — that mismatch and a few other inconsistencies warrant caution.
Guidance: This skill appears to be a simple how-to for HeyGen, but the SKILL.md expects an HEYGEN_API_KEY and uses jq/curl even though the manifest lists no required credentials or binaries. Before installing or using it: (1) do not paste your primary HeyGen API key into an unknown skill — treat it as sensitive; consider creating a throwaway/test API key or account for trial. (2) Confirm whether the skill will actually access any keys (the manifest should declare HEYGEN_API_KEY as a required credential). (3) Note the affiliate and external-paid links — the premium scripts are sold off-site; review those sources before sending payment or credentials. (4) If you proceed, restrict the API key's permissions and monitor HeyGen account activity. If you want, ask the author to update the manifest to declare HEYGEN_API_KEY and list required binaries (curl, jq) so the skill's manifest and runtime instructions align.

Review Dimensions

Purpose & Capability: noteThe skill's stated purpose (create HeyGen avatar videos) matches the curl examples in SKILL.md; however the manifest declares no required environment variables or binaries while the runtime instructions clearly expect HEYGEN_API_KEY and use jq/curl. This is an incoherence between claimed requirements and actual usage.
Instruction Scope: concernSKILL.md instructs the agent to run curl requests against HeyGen endpoints and to read an environment variable HEYGEN_API_KEY (not declared). It also uses jq in examples (jq is not listed as a required binary). The README points users at uploading training videos (implying file upload) and includes affiliate/purchase links and a paid 'premium' offering hosted off-site. The instructions otherwise only send data to HeyGen endpoints, but the undeclared use of sensitive env vars and external payment/hosting links are concerning.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so it does not write or execute downloaded code on disk. That lowers install-related risk.
Credentials: concernAlthough the manifest lists no required env vars, the SKILL.md examples require HEYGEN_API_KEY (sensitive). The skill also references jq (a local binary). Sensitive credentials are being used but not declared as the primary credential; this omission is disproportionate and should be corrected before trusting the skill.
Persistence & Privilege: okThe skill does not request 'always: true' nor any system configuration paths. It appears user-invokable only and does not request persistent system privileges.