Skillv1.0.0

ClawScan security

Video Craft Pro · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 6:48 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose (generating video scripts, voiceover text, and captions) and does not request extra credentials or perform installs; nothing in the files indicates covert or unrelated behavior.
Guidance: This skill appears to be a straightforward, instruction-only content generator: it produces scripts, voiceover text, and captions without requiring credentials or installing software. Before installing, consider: 1) Source trust: the package has no homepage and an unknown source — if you require stronger provenance, ask the author for a repository or contact. 2) Publishing expectations: it will not post to YouTube/Douyin by itself (no API keys); if you want automatic publishing you must provide and review integration code separately. 3) Data leakage: avoid pasting sensitive or private transcripts into the skill because its outputs are text and could be stored in logs or transmitted by your agent hosting environment. 4) Test in a sandbox: run some sample prompts and review outputs for copyright, PII, or inappropriate suggestions before using in production. If you need deeper assurance, request the full source or a homepage from the author so you can review provenance and licensing.

Review Dimensions

Purpose & Capability: noteThe name and description (short-video script, voiceover, captions) match the provided SKILL.md and the small test script. The SKILL.md claims to 'inherit' other skills (video-script-creator) but there are no declared dependencies or external APIs; this is plausible for an instruction-only, LLM-driven skill but is worth noting if you expected automated publishing or external integrations.
Instruction Scope: okSKILL.md contains only high-level instructions for generating scripts, voiceover text, and captions. It does not instruct the agent to read arbitrary local files, system paths, or environment variables, nor to send data to external endpoints. The included scripts/test.sh is a harmless local test that only echoes expected outputs.
Install Mechanism: okNo install specification (instruction-only) and no archive downloads — nothing is written to disk beyond the provided files. This is the lowest-risk installation pattern.
Credentials: noteThe skill requests no environment variables or credentials, which is consistent with a pure content-generation tool. One minor mismatch to be aware of: the skill advertises 'platform adaptation' (YouTube, Douyin, etc.) but does not request the platform API keys — that is appropriate if the skill only produces text and does not publish, but users expecting automatic posting will need to supply credentials separately.
Persistence & Privilege: okalways:false and default invocation settings are used. The skill does not request persistent agent-level privileges or attempt to modify other skills or system-wide settings.