Skillv1.1.0

ClawScan security

tibetan-cinematic-video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 8, 2026, 12:19 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions, inputs, and storage requirements are coherent with its stated purpose (generate short Tibetan-themed videos via Google Veo from a user image and three Chinese words); nothing requested appears unrelated, but a small ambiguity about how Veo credentials/endpoints are provided warrants user verification.
Guidance: This skill is internally consistent for its stated task, but before installing: (1) verify your OpenClaw/agent environment includes a trusted google/veo tool integration (so Veo calls are authenticated by the platform and not by this skill), and confirm how credentials/endpoints are managed; (2) confirm the platform will not copy or retain input images or outputs outside ~/.openclaw/workspace/tibetanProc/ if you require stricter storage controls; (3) if you have privacy or compliance concerns about sending images to an external video API, do not enable the skill until you confirm where data is sent and how it's stored/retained; (4) note the skill enforces cultural guardrails—review outputs for accuracy and sensitivity. If the platform cannot demonstrate trusted Veo integration, treat the missing credential declaration as a blocker.

Purpose & Capability: okName/description (Tibetan cinematic video via Google Veo) matches the SKILL.md: it specifies building prompts, sending the input image and prompt to Veo, and saving the generated clip. No unrelated capabilities or unrelated env vars/binaries are requested.
Instruction Scope: okRuntime instructions are narrowly scoped: require an image and exactly three Chinese words, build a Veo prompt, call Veo, poll, download the resulting clip, and save to the declared directory. The skill does not instruct reading other files or arbitrary environment variables. It enforces a strict output path and rejects creation outside the tibetanProc subdir.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing is written to disk at install time. Low install risk.
Credentials: noteNo environment variables or credentials are declared, which is coherent if the platform provides a google/veo tool integration that already handles auth. The SKILL.md references Veo and an 'internal Veo endpoint' — confirm how Veo credentials/endpoints are supplied by the platform and that no hidden credential requests will be made at runtime.
Persistence & Privilege: okThe skill is not always-enabled and is user-invocable. It does not request persistent system-wide changes or access to other skills' configurations. It only writes output under its dedicated tibetanProc directory per its own file-spec.