Back to skill
Skillv1.0.0
ClawScan security
runninghub-video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 27, 2026, 4:00 PM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill appears to implement RunningHub image-to-video calls correctly, but the package metadata omits that an API key is required and the script will look for RUNNINGHUB_API_KEY (including reading the Windows registry), which is an incoherence you should understand before installing.
- Guidance
- This skill will upload any local images you give it to https://www.runninghub.cn and will attempt to use an API key. Before installing or running it: (1) Be aware you must provide a RunningHub API key (via --api-key or the RUNNINGHUB_API_KEY environment variable); the skill metadata incorrectly omits this. (2) Inspect the script yourself — it reads local files and (on Windows) will try to read HKCU\Environment for RUNNINGHUB_API_KEY. (3) If you do not want your API key or files transmitted, do not run the script; consider running it in an isolated environment or supplying the key on the CLI for more control. (4) If you plan to install the skill for others, request the author fix the metadata to declare the required env var and document the registry access. (5) If you need more assurance, ask the publisher for an authoritative homepage or source repository to verify origin and review the remainder of the code (the provided script was truncated in the manifest listing — verify the complete file before use).
Review Dimensions
- Purpose & Capability
- concernThe skill's name, SKILL.md, API reference, and script all align with the stated purpose (submit image-to-video jobs, poll /openapi/v2/query, upload local files, download outputs). However the declared registry metadata lists no required environment variables or primary credential while the included script clearly requires an API key (RUNNINGHUB_API_KEY or --api-key). This metadata omission is an inconsistency.
- Instruction Scope
- noteThe SKILL.md instructs the agent to use the included script to upload local files, poll tasks, and download outputs — this matches the script. The script uploads local files to https://www.runninghub.cn and downloads returned media. One behavior not called out explicitly in SKILL.md: the script, when not given a CLI key, will attempt to read RUNNINGHUB_API_KEY from the user environment and on Windows will try to read HKCU\Environment via winreg.
- Install Mechanism
- okNo install spec (instruction-only with a helper script). Nothing is downloaded during install and no external install URLs are present. Risk surface comes from running the included script, not from a remote installer.
- Credentials
- concernThe script requires an API key to call RunningHub (accepted via --api-key or RUNNINGHUB_API_KEY). The skill metadata did not declare this required environment variable. The script also probes the Windows registry for the same key, which is unusual and should be documented/justified. No other unrelated credentials are requested.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills, and does not persist credentials itself. It runs as an on-demand helper script and behaves as a normal, non-persistent skill.