Back to skill
Skillv1.0.0
ClawScan security
Video Captioning by ReelWords · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 22, 2026, 7:59 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required environment variables are consistent with its stated purpose of creating/polling ReelWords caption jobs; nothing suggests misdirection or unexplained privilege requests.
- Guidance
- This skill appears to do what it claims: call ReelWords APIs to create/poll caption jobs and optionally download results. Before installing: (1) ensure you trust https://reelwords.ai and are willing to give the skill an API key; (2) provide the key via REELWORDS_API_KEY or the suggested ~/.clawdbot/openclaw.json but avoid committing the key to source control; (3) install the Python dependency 'requests' (e.g., pip install requests) because the included script requires it; (4) run the script in a trusted environment since it performs network calls and will write the downloaded video to disk; (5) rotate the API key if you later revoke access. If you want extra assurance, inspect or run the script in a sandboxed environment before granting the key to production systems.
Review Dimensions
- Purpose & Capability
- okName/description, required env var (REELWORDS_API_KEY), and the included script all target ReelWords' caption API (api.reelwords.ai). No unrelated services, binaries, or credentials are requested.
- Instruction Scope
- okSKILL.md limits actions to creating a caption job, polling status, and downloading the rendered video (or using the helper script). It only references the REELWORDS_API_KEY and an optional local OpenClaw config file for storing that key; it does not instruct reading unrelated files or exfiltrating data to unexpected endpoints.
- Install Mechanism
- noteThis is instruction-only (no install spec) and therefore low risk, but the included Python script depends on the third-party 'requests' package while the skill only declares 'python3' as a required binary. The README does not provide an install step for Python dependencies (e.g., pip install requests).
- Credentials
- okOnly REELWORDS_API_KEY is requested, which is appropriate for the API usage described. No extra tokens, secrets, or unrelated environment variables are requested.
- Persistence & Privilege
- okalways:false (not force-included) and normal user-invocable/autonomous invocation defaults. The skill does not request elevated or cross-skill configuration changes.