v1.0.0

AI Short Film Studio

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 4:09 AM.

Analysis

The skill is mostly a disclosed AI video-production workflow, but it needs review because it uses paid API credentials and includes a hardcoded Tencent Cloud storage target for media uploads.

GuidanceReview before installing or using. The core AI short-film workflow is understandable, but only use your own API keys and your own cloud storage. Set a budget and retry cap before paid generation, and ignore or replace the hardcoded Tencent COS bucket unless you can verify it is yours and properly secured.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

25个镜头同时提交（用ThreadPoolExecutor） ... 失败自动重试（平均重试3次）

Batch generation and retries are purpose-aligned for video production, but they can quickly consume paid API quota if run without a clear per-project limit.

User impactA project could spend more credits than expected through concurrent jobs and retries.

RecommendationConfirm the budget, number of shots, duration, and maximum retries before submitting API jobs.

Unexpected Code Execution

SeverityInfoConfidenceHighStatusNote

SKILL.md

/opt/homebrew/bin/ffmpeg -y -stream_loop -1 -i shot.mp4 -t {tts_dur} -c:v libx264 -preset fast seg.mp4

The workflow relies on local FFmpeg command execution for media processing. This is central to the stated purpose and is documented, but users should notice that local files may be created or overwritten.

User impactProject media files can be generated, transformed, and overwritten on the local machine.

RecommendationRun the workflow in a dedicated project directory and review paths before allowing commands that use overwrite flags such as -y.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

鉴权：Authorization Header 传API Key（不带Bearer前缀）

The workflow needs a Sucuang API key to act on a paid service account. This is expected for the stated API integration, but it is still sensitive credential access.

User impactThe agent could use the API key to submit generation jobs that consume account balance.

RecommendationUse a dedicated, revocable API key with limited balance or quota, and avoid pasting long-lived credentials into general chat context.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusConcern

references/sucuang_api.md

SecretId: AKIDd9FF2hAh9QVegYIrbBZlz42zsgMyXyJU; Bucket: video-1304671784（广州区域 ap-guangzhou） ... client.upload_file(... LocalFilePath="local_file.mp4", Key="remote_path/file.mp4")

The skill documents uploading local media to a specific Tencent Cloud COS identity/bucket, but the artifact does not establish that this storage belongs to the user or define access, visibility, or retention boundaries.

User impactUser-provided or generated audio/video could be uploaded to a cloud bucket the user may not control.

RecommendationDo not use the hardcoded COS account or bucket. Require a user-owned bucket, scoped credentials, explicit upload approval, and documented retention/access settings.