v1.0.1

video 生成流水线

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:39 AM.

Analysis

This is a coherent video-generation pipeline, but it uses your Zhipu API key and sends storyboard prompts to an external video service.

GuidanceUse this skill if you intend to generate videos through Zhipu CogVideoX-3. Keep ZHIPUAI_API_KEY out of repositories and chat logs, verify BIGMODEL_API_BASE is trusted if you set it, review the generated storyboard before submitting, and avoid including sensitive information in prompts.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

python3 scripts/video-generate.py --output-dir ./output_videos

The normal workflow runs a local Python script that submits three video-generation jobs and may download MP4 outputs. This is disclosed and central to the skill, but it is still a user-visible network/tool action.

User impactRunning the skill can consume API usage or credits and create local output files.

RecommendationReview the storyboard before running the script, confirm expected API cost, and choose an output directory intentionally.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

环境变量：`ZHIPUAI_API_KEY`（必填）；可选 `BIGMODEL_API_BASE`

The skill requires a provider API key and can use a configurable API base. This is expected for CogVideoX-3 access, but users should treat the key as account authority.

User impactAnyone with the API key could potentially use the associated Zhipu account or incur usage charges.

RecommendationSet the key only in the environment, do not commit it to files, use the least-privileged/limited key available, and only use trusted BIGMODEL_API_BASE values.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

scripts/video-generate.py

"prompt": prompt[:512], ... out = _request_json("POST", url, api_key, body)

Storyboard prompts are sent to the configured video-generation API endpoint. This matches the skill purpose, but it means creative brief content leaves the local project.

User impactPrivate or sensitive details included in the storyboard prompts may be transmitted to the external provider.

RecommendationAvoid putting confidential information in prompts and keep the default/trusted provider endpoint unless you intentionally use another one.