v1.0.3

AI短剧制作助手 | AI Short Film Producer

SuspiciousClawScan verdict for this skill. Analyzed Apr 30, 2026, 11:25 AM.

Analysis

This is a coherent AI video-production workflow, but it relies on sensitive API keys, paid batch API calls, and under-specified third-party services without clear credential, approval, or cost boundaries.

GuidanceBefore installing or using this skill, verify the external API provider and pricing, use a limited or low-balance API key, require approval before paid batch generation, start with a small test batch, and avoid uploading sensitive media to public URLs or cloud storage.

Findings (7)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

视频生成：Grok Imagine（速创API，按秒计费） ... 25个镜头同时提交 ... 失败自动重试（平均重试3次）

The skill directs parallel paid API use with automatic retries, but the artifacts do not define an explicit approval step, budget cap, or spending limit before these actions occur.

User impactA mistaken prompt or over-broad request could consume paid API credits and generate many unwanted assets.

RecommendationRequire user confirmation of the script, shot count, retry limit, and maximum budget before submitting batch jobs or retries.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

references/sucuang_api.md

平台地址: （注册后获取）; 文档中心: （注册后获取）; API Key获取: 注册登录后进入控制台获取

The core provider, documentation, and endpoint provenance are not concretely identified in the artifacts, despite the skill relying on that provider for paid video and TTS generation.

User impactUsers cannot verify the provider, pricing, terms, or security posture from the supplied artifacts before sending prompts, media, or API keys.

RecommendationVerify the real provider URL and documentation independently, confirm pricing and terms, and avoid sharing keys until the service provenance is clear.

Unexpected Code Execution

SeverityLowConfidenceHighStatusNote

references/production_workflow.md

cmd = [FFMPEG, '-y'] ... subprocess.run(cmd, check=True)

The references include Python subprocess and FFmpeg command templates. This is expected for local video assembly, but it still means the workflow can run local commands and overwrite outputs.

User impactFollowing the skill may execute local media-processing commands and replace existing output files.

RecommendationRun commands only in a dedicated project folder, review paths before execution, and back up important files.

Cascading Failures

SeverityMediumConfidenceHighStatusNote

references/production_workflow.md

25个镜头同时提交到API ... 失败自动重试（最多5次）

The workflow intentionally fans one project plan into many API tasks and retries. This is purpose-aligned, but an error can multiply into many paid calls and generated files.

User impactA bad script, wrong prompt, or incorrect settings could propagate across an entire batch and increase cost or cleanup effort.

RecommendationPilot one or two shots first, review results, then approve full-batch generation with a clear retry and spending limit.

Human-Agent Trust Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

总成本仅需¥30-50/部（128秒短片）

The low-cost claim is promotional and may not hold if provider prices, retries, project size, or cloud/storage costs differ.

User impactUsers may assume the workflow has a guaranteed low cost when actual paid API charges can vary.

RecommendationCheck the current provider pricing and set a maximum spend before generating media.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

鉴权：Authorization Header 传API Key（不带Bearer前缀）

The workflow requires a sensitive API key that can access a third-party paid account, while the registry requirements list no primary credential or required environment variable and the key scope/handling is not bounded.

User impactUsers may provide an API key without clear storage, scope, rotation, or spending protections.

RecommendationDeclare the credential requirement explicitly, use a secure secret mechanism, prefer limited-scope or low-balance keys, and document how the key is handled.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

references/sucuang_api.md

音频和视频URL必须公网可访问 ... 推荐搭配云存储服务存储素材

The optional digital-human workflow requires public media URLs and recommends cloud storage, so user media may leave the local environment and become accessible outside the user’s device.

User impactPrivate scripts, audio, or videos could be exposed through third-party APIs or public URLs if users upload sensitive assets.

RecommendationUse only non-sensitive media, prefer expiring or access-controlled URLs where possible, and delete uploaded assets after processing.