ClawHub
Back to skill
v1.0.0

Lip Sync

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:33 AM.

Analysis

This skill is a straightforward guidance helper for a VideoAny lip-sync webpage, with no evidence of hidden execution, credential use, persistence, or data exfiltration.

GuidanceThis appears safe as a guidance-only skill. Before using it, understand that actual lip-sync generation happens on VideoAny's website and may require uploading image and audio files, so only use authorized content and review the service's privacy terms.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
SKILL.md
permissions:
  - shell:exec
...
python3 scripts/guide_lip_sync.py

The skill declares shell execution and documents running a local Python helper. This is disclosed and the reviewed script only prints guidance, but shell capability is still something users should notice.

User impactThe agent may run a local helper script, though the provided helper is limited to displaying instructions.
RecommendationOnly allow the shell helper if you want local printed guidance; otherwise you can use the VideoAny URL directly.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceMediumStatusNote
metadata
Source: unknown
Homepage: none

The registry-level source and homepage are sparse, even though the package itself points to VideoAny and includes simple local scripts. This is a provenance note rather than evidence of unsafe behavior.

User impactIt may be harder to verify the publisher or original source from registry metadata alone.
RecommendationIf publisher provenance matters to you, verify the VideoAny link and package owner before installing.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
Image input: upload or use URL, formats `jpg/png/webp`
- Audio input: upload or use URL, formats `mp3/wav/m4a`
...
actual generation is done on VideoAny web.

The workflow sends user-provided image and audio content to an external web provider. This is purpose-aligned and disclosed, but the media may be personal or sensitive.

User impactImages and voice/audio files used for generation may be shared with VideoAny during the web workflow.
RecommendationReview VideoAny's privacy and usage terms, and upload only media you own or are authorized to use.