Skillv1.0.1

ClawScan security

Video analyze by doubao2.0 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 13, 2026, 11:49 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent: it requests a single ARK_API_KEY and Python to upload or reference a video to Volcengine's Ark service and call the doubao model, which matches its stated purpose.
Guidance: This skill will send your video data (local files uploaded via the SDK or remote URLs forwarded) to Volcengine's Ark service and requires your ARK_API_KEY. Only use it with non-sensitive or permissible content, and be sure you trust the ARK endpoint and your API key. Installing the recommended Python SDK will pull code from PyPI — review that package if you need to. Keep the skill user-invocable (not always-on) and do not share your ARK_API_KEY with untrusted parties. If you need assurance on data retention/privacy, review Volcengine's service and privacy terms before uploading videos.

Review Dimensions

Purpose & Capability: okName/description, declared requirements (python + ARK_API_KEY), and the included script all align: the skill uploads or references a video to Volcengine Ark and requests analysis from the doubao model. No unrelated credentials or binaries are requested.
Instruction Scope: noteSKILL.md and the script are scoped to the stated task: check ARK_API_KEY, install the Volcengine SDK, craft a prompt, and run the provided script to either upload a local file or pass a remote URL. Note: SKILL.md mentions base64-encoding local files for upload while the script uses the SDK's file upload; this is an implementation detail rather than a scope expansion. The doc explicitly warns against using web_fetch to retry remote URLs, which restricts behavior.
Install Mechanism: noteThere is no formal install spec (instruction-only), but SKILL.md instructs the user to pip install 'volcengine-python-sdk[ark]'. Installing a third-party Python package from PyPI is expected for this functionality but does cause network/third-party code to be installed; the package name appears to match the provider and there are no mysterious download URLs.
Credentials: okOnly ARK_API_KEY is required and used by the script. That single credential is proportional to the skill's need to authenticate to the Ark API. Users should understand this key authorizes uploading video data to the vendor.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated persistence or modify other skills or system settings. It runs only when invoked.