Back to skill
Skillv1.0.0
ClawScan security
ai-video-gen · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 17, 2026, 6:36 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code and runtime instructions match its stated purpose (AI video creation), but there are multiple documentation/manifest inconsistencies and missing metadata (notably the required SKILLBOSS_API_KEY is not declared in the registry metadata and several referenced files are absent), which warrants caution before installing or providing credentials.
- Guidance
- Before installing or running: 1) Don't paste your SKILLBOSS_API_KEY into a remote form — the scripts send it to https://api.heybossai.com/v1; verify the service is trustworthy and you understand its privacy policy. 2) Confirm the missing items: .env.example, multi_scene.py, edit_video.py, and examples/ are absent — ask the publisher for the full package or audit the code you received. 3) Treat the registry metadata omission (it doesn't list SKILLBOSS_API_KEY) as a warning — prefer skills whose declared requirements match their code. 4) Run the scripts in an isolated environment (throwaway account or sandbox) and review network calls (e.g., with a proxy) if you must supply an API key. 5) If you need higher assurance, request source/origin information or a homepage from the owner before providing credentials.
Review Dimensions
- Purpose & Capability
- concernThe code (generate_video.py, add_voiceover.py, images_to_video.py) implements image/video/TTS workflows against a SkillBoss API and FFmpeg as described — that part is coherent. However, the registry metadata declares no required env vars while SKILL.md, QUICK_START.md, README.md, and the scripts all require SKILLBOSS_API_KEY. The docs also reference .env.example, multi_scene.py, edit_video.py, and an examples/ folder that are not present in the manifest. These mismatches are inconsistent and should be resolved.
- Instruction Scope
- noteSKILL.md instructions stay within the stated purpose (call remote API for images/videos/tts, use FFmpeg locally). The runtime scripts only access the SKILLBOSS_API_KEY env var and local media files. No instructions ask to read unrelated system files or other credentials. Note: the docs instruct copying a .env.example (which is missing) and reference additional scripts not included — this could confuse users.
- Install Mechanism
- okThere is no install spec (instruction-only). Dependencies are standard Python packages listed in requirements.txt; no external downloads or archive extraction are performed by the skill bundle itself.
- Credentials
- concernThe code legitimately requires a single service credential (SKILLBOSS_API_KEY) for the SkillBoss API, which is proportionate to the functionality. However, the registry metadata incorrectly lists no required env vars or primary credential — this metadata omission is a red flag because it hides that a secret must be provided to an external service. Users should treat providing an API key to an unknown/undocumented service domain with caution.
- Persistence & Privilege
- okThe skill does not request persistent/always-on installation and uses normal, user-invoked scripts. It does not modify other skills or system-wide settings.