Skillv1.0.0

ClawScan security

Video Dubbing · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 18, 2026, 7:17 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions are consistent with a simple guidance helper that prints instructions for using VideoAny's web dubbing tool and do not request unrelated secrets, installs, or network access.
Guidance: This skill appears to be a simple guidance helper that prints instructions for using VideoAny's web dubbing tool. Before installing: (1) note the metadata mismatch between the registry owner and _meta.json — confirm the source if provenance matters; (2) be mindful that SKILL.md requests shell:exec permission even though the scripts only print guidance — if you want stricter containment, run the scripts in a sandbox or refuse shell:exec; (3) inspect the files locally (they are small and readable) and run them to verify behavior before granting the skill broader access; (4) the skill does not require any API keys or access to your files, but when using the external VideoAny service, confirm you are comfortable uploading your media to that third party.

Purpose & Capability: noteThe name/description (guide users to VideoAny) aligns with the included scripts that only print guidance and validate small inputs. Minor provenance inconsistency: the registry metadata ownerId (kn7f27...) differs from _meta.json ownerId (3jdzb76...), which is unexpected but does not change the skill's runtime behavior.
Instruction Scope: okSKILL.md and scripts limit behavior to printing guidance, validating CLI arguments, and pointing the user to https://videoany.io/video-dubbing. The skill does not read or transmit files, access credentials, or call external endpoints in code; the SKILL.md does declare shell:exec permission but the scripts only print guidance and do not execute external commands.
Install Mechanism: okNo install spec and no external dependencies (requirements.txt empty). This is low-risk: files are small, plain Python, and nothing is downloaded or extracted at install time.
Credentials: okNo required environment variables, no credentials, and no config paths are requested. The requested permissions are limited to shell:exec in the SKILL.md header, which is broader than strictly necessary but the shipped code does not use environment secrets.
Persistence & Privilege: okalways is false and the skill does not request persistent/system-wide configuration or access to other skills. Autonomous invocation is allowed (platform default) but the skill's code is read-only guidance.