Skillv1.0.0

ClawScan security

aim-digital-human-video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 2:06 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches its stated purpose (submit image+audio to AEP and poll a TOS URL) but has multiple internal inconsistencies and operational choices that warrant caution before installing or giving keys to an agent.
Guidance: Key points to consider before installing or using this skill: - Confirm the credential flow: the skill requires an 'aim-secret-key' to call AEP, but the skill metadata does not declare any required env vars. If you install it, plan how you'll provision that key. Prefer manually creating the .env file yourself rather than pasting the key into a chat with an agent. - Do not paste secrets into an agent conversation unless you trust the agent and environment. The SKILL.md explicitly instructs the agent to write the key into a local .env file — that is convenient but increases the chance of accidental leakage. - Verify endpoints and ownership: the default AEP base URL (https://aep.focusaim.com) and the TTS/AEP service IDs are specific to this provider. The code also includes DEFAULT_DIRECT_URL = http://192.168.25.10:32004 (a direct bypass/test endpoint). Ask or inspect the full script to confirm whether there are any code paths that use that direct URL or any other unexpected host for uploads. - Inspect the full script before running: the provided script snippet contradicts the documentation about not reading environment variables (it calls os.getenv). There is also an apparent code truncation/typo in the provided snippet (a 'headers=header' reference) — review the full file to ensure there are no bugs or hidden network calls. - Prefer running in an isolated/test environment first: run the script locally with test keys or a dedicated account, monitor outbound network calls (which hosts are contacted), and confirm behavior before giving it production credentials. - If you want stronger guarantees: modify the script to avoid agent-written secrets (require the user to create the .env manually or pass the key via a local-only config), log all outbound hosts, and/or restrict network egress while testing. If you want, I can: (1) re-scan the complete, untruncated script to confirm whether DEFAULT_DIRECT_URL is used; (2) point out the exact lines where environment variables are read; or (3) suggest a safer change to the secret-handling flow (example patch) so the agent never needs to write the .env file for you.

Review Dimensions

Purpose & Capability: concernThe skill's declared registry metadata lists no required environment variables or primary credential, but the code and SKILL.md clearly require an 'aim-secret-key' credential (stored in a .env file) to call AEP. That mismatch between declared requirements and actual code is an incoherence. Other requested options (TTS, ffprobe) are coherent with the stated purpose.
Instruction Scope: concernThe SKILL.md instructs the agent to collect the user's secret via conversation and have the agent write the secret into a local .env in the skill directory (explicit: 'agent writes .env; user does not edit file'). The doc also claims the script won't read process environment or home dir, but the code uses os.getenv in several places (AEP_BASE_URL, AEP_USER_ID, TTS service id), which contradicts that claim. The script will read local files (image, audio, voice sample) and persist a .task-history.jsonl — those are expected, but the instructions grant the agent the ability to accept and persist user secrets, which is sensitive.
Install Mechanism: okNo install spec and no network-based installer are present; the skill is instruction + a Python script. It requires 'requests' and optionally ffprobe; there are no downloads or extracted archives in the manifest. This is low risk from an installation mechanism perspective.
Credentials: concernRequiring an 'aim-secret-key' for the AEP gateway is proportionate to the described functionality (API calls to AEP). However, the registry metadata does not declare this credential, creating an inconsistency. The skill's operational model asks the agent to capture the secret in-chat and write it to a local .env file — that disperses the secret into agent-writable disk and increases exposure. Additionally, the code contains a DEFAULT_DIRECT_URL (http://192.168.25.10:32004) labelled '绕过 AEP' which is an unexpected direct endpoint; any code path that can send data to an alternate URL should be reviewed.
Persistence & Privilege: noteThe skill is not 'always: true' and does not appear to attempt to modify other skills. It persists per-run state in .task-history.jsonl (gitignored) and expects to read/write a .env in its own directory — this requires agent file-write privileges but is within the scope of the feature. The main concern is the instruction for the agent to accept the secret in chat and write it to disk on the user's behalf (secret handling policy / user consent needed).