Skillv5.0.0

ClawScan security

Fanqie Novel AI Video Drama Batch Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 9, 2026, 3:43 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior (calling third‑party generation/TTS endpoints and running ffmpeg) broadly matches its stated purpose, but it omits required runtime dependencies and credential needs and will transmit full novel text to external services — this mismatch warrants caution.
Guidance: This skill will upload the full novel chapters you provide to external services (api.kelingai.com and openspeech.bytedance.com) and will call local ffmpeg to assemble videos, but the package metadata doesn't declare required binaries or API credentials. Before installing, consider: 1) Are you comfortable sending your text (and any copyrighted or sensitive content) to these third parties? 2) Ensure ffmpeg is available on the host (the code runs execSync ffmpeg) or the skill will fail. 3) Ask the publisher where API keys should be configured; the skill does not declare required env vars but likely needs them — absence of declared credentials is suspicious. 4) Prefer running this skill in an isolated environment (container or sandbox) and inspect network traffic to confirm endpoints and that no unexpected destinations receive data. 5) If you must proceed, test with non-sensitive sample text first and request the author/source of the skill and documentation for required dependencies and privacy/TOS for the third‑party services.

Review Dimensions

Purpose & Capability: concernThe skill intends to produce videos from novel chapters and does call video/image/TTS services and run local ffmpeg to combine assets (which is coherent). However, the manifest/metadata declare no required binaries or credentials while the code clearly requires ffmpeg on PATH and makes network calls to third‑party APIs; those omissions are disproportionate to the stated metadata and confuse deployment/privilege expectations.
Instruction Scope: concernSKILL.md describes splitting the novel and batch-generating episodes but does not disclose that the full chapter text will be POSTed to external endpoints (api.kelingai.com and openspeech.bytedance.com). The code transmits user content to these external services and writes output files to disk; the privacy/networking implications are not documented in SKILL.md.
Install Mechanism: noteThere is no install spec (lower install risk), but the bundled code expects node runtime libraries and an ffmpeg binary. The skill does not declare these binaries or dependencies, so deployers may encounter missing binary/dependency errors or may inadvertently run it in an environment lacking required tooling.
Credentials: concernThe skill declares no required environment variables or primary credential, yet it calls external APIs that commonly require API keys (kelingai endpoints and Bytedance TTS). This is a mismatch: either the endpoints accept unauthenticated requests (unusual) or the skill expects credentials to be provided out-of-band. Additionally, user-provided novel text is sent to third parties without any documented consent/privacy notice.
Persistence & Privilege: okThe skill is not marked always:true and does not request persistent system privileges. It writes output into a timestamped directory under its own __dirname, which is expected behavior for a generator tool.