Skillv0.1.0

ClawScan security

Video Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 25, 2026, 9:29 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's runtime instructions ask the agent to scrape websites, download assets, and run external tunnel scripts and background servers — behaviors that are plausible for a Remotion video workflow but the skill metadata does not declare required credentials, scripts, or tooling, creating incoherence and an elevated risk profile.
Guidance: This skill's instructions include website scraping, downloading assets, running npm/npx commands, and starting a public tunnel — all actions that can expose local data or transmit information externally. Before installing/use: (1) Ask the author for the missing manifests: which env vars (FIRECRAWL_API_KEY) and helper scripts are required, and why they weren't declared. (2) Inspect the referenced scripts (skills/cloudflare-tunnel/scripts/tunnel.sh, scripts/firecrawl.sh, TOOLS.md) — do not run them until you review their contents. (3) If you must test, run the workflow in an isolated environment (VM/container) with no access to sensitive files or credentials. (4) Prefer providing a dedicated Firecrawl API key with limited scope or a test key, and avoid putting any unrelated secrets in .env. (5) If you cannot review the scripts or confirm the source, do not expose your machine via the tunnel; instead render locally and deliver files securely. The mismatch between SKILL.md and the declared metadata is a significant red flag; proceed only after clarification and code review.

Review Dimensions

Purpose & Capability: noteThe stated purpose (programmatic video production with Remotion) reasonably explains use of Remotion, npm, and exposing a dev server for preview. However the SKILL.md mandates use of Firecrawl (a scraping API) and a Cloudflare tunnel script located at skills/cloudflare-tunnel/scripts/tunnel.sh — neither the API key nor these helper scripts/tools are declared in the skill metadata. Requesting a website-scraping service and a public tunnel is plausibly related to the purpose, but the lack of declared requirements and the reliance on out-of-repo scripts is incoherent.
Instruction Scope: concernThe instructions direct the agent to perform website scraping for brand data, download arbitrary assets (favicon, OG image, screenshots), run npm installs and npx scaffolds, start a background dev server, and call a cloudflare-tunnel script to expose localhost. These steps involve network access, arbitrary external downloads, and exposing a local port — operations that go beyond just generating video files and could expose local resources or transmit data. The SKILL.md also references TOOLS.md and other scripts that are not present, giving the agent broad, ambiguous discretion.
Install Mechanism: noteThere is no install spec (instruction-only), which reduces immediate disk-write risk from a packaged installer. However the runtime instructions tell the agent to run commands that will fetch and run remote code (npx create-video, npm install, curl to arbitrary URLs, and an external tunnel script). Because the skill relies on out-of-skill scripts and network fetches, the effective install/run surface is higher than the manifest suggests.
Credentials: concernThe SKILL.md states 'MANDATORY: Use Firecrawl' and instructs setting FIRECRAWL_API_KEY in a .env file, but the skill's declared requirements list zero environment variables and no primary credential. That mismatch is a clear incoherence. Additionally, the workflow implies broad network and file-system access (downloading assets into the project, exposing a tunnel), which are disproportionate relative to the metadata and which should be explicitly declared and justified.
Persistence & Privilege: okThe skill does not set always:true and does not request persistent privileges in the registry metadata. Autonomous model invocation is allowed by default (disable-model-invocation:false), which is normal; this by itself is not flagged. The runtime steps do instruct running long-lived background processes and opening a public tunnel, but those are transient runtime actions rather than registry-level persistence.