Skillv1.0.2

ClawScan security

SGLang-Diffusion Video Generation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 16, 2026, 1:46 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, runtime instructions, and requirements are consistent with its stated purpose (generating video via a local SGLang‑Diffusion server) and it does not request disproportionate credentials or install actions.
Guidance: This skill appears to be what it says: a Python script that talks to a SGLang‑Diffusion server to generate videos. Before installing or running it: (1) ensure the server URL you use is local or trusted (by default it is http://127.0.0.1:30000); (2) protect any API key you set in SGLANG_DIFFUSION_API_KEY or the CLI, and avoid pasting it into public places; (3) do not pass sensitive images via --input-image since the script base64-encodes and uploads them to the configured server; (4) generated files default to /tmp and the script prints a MEDIA: line which some chat integrations may auto-attach—be mindful of where outputs are posted. Overall the skill is internally consistent and proportional to its stated purpose.

Purpose & Capability: okName/description match the included script: the skill only requires python3 and talks to a local SGLang‑Diffusion server (default http://127.0.0.1:30000). No unrelated binaries, cloud credentials, or system paths are requested.
Instruction Scope: noteSKILL.md and the script instruct the agent to POST prompts and (optionally) base64 input images to the configured SGLang server, poll status, download the resulting MP4, and print a MEDIA: line for auto-attachment. This is appropriate for the purpose, but it means any server URL you point it at will receive your prompt and any provided input image — do not point to untrusted remote servers or supply sensitive files as input images.
Install Mechanism: okNo install spec is provided (instruction-only with one included script). Nothing is downloaded or written to disk by an installer; risk is limited to running the provided Python script.
Credentials: okOnly an optional SGLANG_DIFFUSION_API_KEY is referenced (used when the server enforces an API key). No unrelated secrets or multiple unrelated environment variables are requested.
Persistence & Privilege: okalways is false and the skill does not request persistent/privileged platform presence or modify other skills. It only runs when invoked.