Boosta Long to Shorts

ReviewAudited by ClawScan on May 1, 2026.

Overview

This is a scoped Boosta API skill that uses your Boosta API key to create and monitor video jobs; no hidden or deceptive behavior is evident, but job submission can affect your Boosta account and credits.

Install this only if you want an agent to use Boosta on your behalf. Keep BOOSTA_API_KEY private, confirm job submissions because they may use credits, and verify the package source if installing from GitHub or npx.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI02: Tool Misuse and Exploitation

What this means

If invoked with your API key, the skill can submit video-processing jobs and may use Boosta credits.

Why it was flagged

The bundled script can create Boosta processing jobs through the API. This is exactly the skill's purpose, but it is an external account-affecting action.

Skill content

def submit_job(self, video_url, video_type, config_name=None): ... return self._request("POST", "/jobs", payload)

Recommendation

Use it only when you intend to create or check Boosta jobs, and review the video URL, video_type, and config before submitting.

Medium

#ASI03: Identity and Privilege Abuse

What this means

Anyone or any agent process with this environment variable can act on the associated Boosta account within the exposed API operations.

Why it was flagged

The script reads a Boosta API key from the environment and uses it as a bearer credential. This is expected for the integration, and the artifacts do not show the key being stored or printed.

Skill content

api_key = os.getenv("BOOSTA_API_KEY") ... headers = {"Authorization": f"Bearer {self.api_key}"}

Recommendation

Store the API key securely, avoid sharing logs or shells that expose it, and rotate the key if it may have been disclosed.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Users have less registry-level assurance that the installed package corresponds to the referenced repository.

Why it was flagged

The registry metadata does not identify a verified source, even though the skill files reference a GitHub repository. This is a provenance gap to notice before installation.

Skill content

Source: unknown

Recommendation

Install from a trusted registry path and, if using the GitHub/npx path, verify the repository and contents before relying on the skill.