Boosta Long to Shorts
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with your API key, the skill can submit video-processing jobs and may use Boosta credits.
The bundled script can create Boosta processing jobs through the API. This is exactly the skill's purpose, but it is an external account-affecting action.
def submit_job(self, video_url, video_type, config_name=None): ... return self._request("POST", "/jobs", payload)Use it only when you intend to create or check Boosta jobs, and review the video URL, video_type, and config before submitting.
Anyone or any agent process with this environment variable can act on the associated Boosta account within the exposed API operations.
The script reads a Boosta API key from the environment and uses it as a bearer credential. This is expected for the integration, and the artifacts do not show the key being stored or printed.
api_key = os.getenv("BOOSTA_API_KEY") ... headers = {"Authorization": f"Bearer {self.api_key}"}Store the API key securely, avoid sharing logs or shells that expose it, and rotate the key if it may have been disclosed.
Users have less registry-level assurance that the installed package corresponds to the referenced repository.
The registry metadata does not identify a verified source, even though the skill files reference a GitHub repository. This is a provenance gap to notice before installation.
Source: unknown
Install from a trusted registry path and, if using the GitHub/npx path, verify the repository and contents before relying on the skill.