Skillv1.0.0

ClawScan security

AI Video Asset Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 27, 2026, 6:19 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and runtime instructions are coherent with an AI video asset management workflow; included scripts perform local project initialization and user-driven downloads and do not request unrelated credentials or hidden network endpoints.
Guidance: This skill appears internally consistent and the bundled scripts are straightforward. Before installing or running: 1) Only use trusted URLs with the '下载素材' command — the batch-download script will save whatever bytes are at those URLs to disk and could store malicious files. 2) Run the skill in a workspace you control (not a sensitive system directory) because it creates and reads local project files. 3) If you expect automatic integration with Runway/Kling/Veo, note the skill documents workflows but does not include API connectors or require credentials — you'll need to manage any tool-specific auth separately. 4) If you plan to let the agent act autonomously, be aware it will read and write project files and may download user-specified resources; restrict access to only the directories you want it to manage.

Purpose & Capability: okName/description (asset/cards/consistency checks) match the provided SKILL.md, reference documents, and the two helper scripts. References to Runway/Kling/Veo are explanatory (supported tools) but no connectors or credentials are requested — reasonable for an instruction-first asset-management skill.
Instruction Scope: noteSKILL.md instructs the agent to create and read local asset files, run consistency checks, and download reference images from user-provided URLs. Reading/writing project files and performing consistency checks is expected; however the '下载素材 [URL]' action and the batch-download script allow fetching arbitrary URLs supplied by users — this is functional but requires care (see guidance).
Install Mechanism: okNo install spec is provided (instruction-only). Two small Python scripts are bundled; they are plain, readable, and do not fetch remote code or perform installation steps. No archives or external downloads during install.
Credentials: okNo environment variables, credentials, or config paths are requested. The skill does not ask for unrelated secrets or elevated access — credential requests are proportional (none).
Persistence & Privilege: okSkill is not always-enabled and does not claim to modify other skills or system-wide agent settings. Autonomous invocation is allowed (platform default) but not combined with other concerning privileges.