Skillv1.0.1

ClawScan security

video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 20, 2026, 9:56 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement the claimed video-generation behavior, but there are inconsistencies (notably a missing declared environment variable and no trusted homepage) that warrant caution before installing.
Guidance: This skill's code and instructions match its stated purpose (it sends prompts/images to api.skillbossai.com and downloads an MP4). However: (1) the registry metadata omitted the SKILLBOSS_API_KEY requirement — the script will fail without that env var; confirm the author updates metadata before installing. (2) The SkillBoss API domain (api.skillbossai.com) is a third-party endpoint: any prompt text and images you send will be transmitted to that service, so don't send secrets or sensitive images. (3) There is no homepage or known publisher info — consider this untrusted until you can verify the author. Recommended actions: inspect the included script yourself (already provided), verify and set up a dedicated API key with appropriate scope, run the tool in a sandboxed environment or restricted account, and ask the publisher to correct the registry metadata (declare SKILLBOSS_API_KEY) and provide a homepage or contact. If you need higher assurance, request the publisher provide a signed release or host the project on a known repository for further review.

Review Dimensions

Purpose & Capability: concernName/description, SKILL.md, and the script all align: the skill uploads a prompt (and optional images) to SkillBoss API Hub and downloads an MP4. However the registry metadata lists no required env vars while both SKILL.md metadata and the script require SKILLBOSS_API_KEY; this metadata mismatch is inconsistent and should be corrected.
Instruction Scope: okRuntime instructions are narrowly scoped: run scripts/generate_video.py with uv, the script reads any referenced local images, calls https://api.skillbossai.com/v1/pilot with the prompt/images, downloads the returned video URL, and writes an output MP4. It does not reference unrelated system files, other env vars, or unexpected remote endpoints.
Install Mechanism: okThere is no install spec (instruction-only) and included code is run via the uv runner. No external archive downloads or installers are specified. Including a code file without an install step is not ideal but not inherently risky.
Credentials: concernThe script requires SKILLBOSS_API_KEY (it reads os.environ['SKILLBOSS_API_KEY']) but the registry lists no required env vars or primary credential. Requesting one API key for the remote service is proportionate to the functionality, but the metadata omission is an inconsistency that could lead to runtime errors or confusion. No other credentials are requested.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills or system settings, and only writes the output video file that the user explicitly names. Autonomous invocation is allowed (default) but not combined with other elevated privileges.