Skillv1.0.0

ClawScan security

jimeng-openclaw-video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 20, 2026, 2:03 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill generally does what it claims (submits prompts to the Jimeng MaaS API and writes results), but it silently reads your OpenClaw config file for an API key and auto-installs Python packages at runtime — these behaviors are not declared and warrant review before use.
Guidance: This skill appears to implement the advertised Jimeng video generation, but review the following before installing: - Confirm you trust the external endpoint (maas-openapi.wanjiedata.com) and the skill author; the worker will send your OpenClaw API key to that service. - The code reads your OpenClaw config at ~/.openclaw/openclaw.json to obtain an apiKey but the skill metadata does not declare this; inspect that file to know what credentials are present. - The skill will attempt to pip-install 'requests' at runtime if missing. If you prefer no automatic installs, pre-install dependencies or run in a sandbox/virtualenv. - The skill writes logs (jimeng_log.txt), results (jimeng_result.txt), and a lock file in model/scripts/. Ensure you are comfortable with these files being created and that the directory is writable. - Minor inconsistency: SKILL.md mentions 'veo_result.txt' but the code/README use 'jimeng_result.txt' — a likely typo but worth noting. If you want to proceed safely: run the code in an isolated environment (container or dedicated VM), verify the network traffic to the documented domain, and/or edit the worker to accept an explicit API_KEY environment variable (declared in metadata) instead of reading your home config file.

Review Dimensions

Purpose & Capability: noteName/description match the code: scripts submit prompts to maas-openapi.wanjiedata.com, poll for results, and persist a result URL. The network endpoints and model identifier align with the stated purpose.
Instruction Scope: concernRuntime code reads a local config file (~/.openclaw/openclaw.json) to obtain an API key, writes logs and a result file to the scripts directory, and may open the result URL on Windows. SKILL.md and README instruct calling trigger_jimeng_generation, but SKILL.md contains a small inconsistency (mentions 'veo_result.txt' whereas the code writes 'jimeng_result.txt'). Reading the user's OpenClaw config file is functionally relevant (it contains the API key) but is not declared in the skill metadata.
Install Mechanism: noteThere is no declared install spec (instruction-only), which lowers static install risk. However, video_interface.py will dynamically pip-install the 'requests' package if missing, causing runtime package installation — a moderate risk because it executes package installs on the host environment.
Credentials: concernThe skill requests no env vars/credentials in metadata but the worker reads ~/.openclaw/openclaw.json and extracts an apiKey. This is a direct credential access that is necessary for contacting the Jimeng MaaS API, but it is not declared in requires.env or documented as a required config path in the skill metadata (though README does mention configuring that file). The skill therefore has undeclared access to local config/credentials.
Persistence & Privilege: okalways:false and the skill does not attempt to modify other skills or global agent settings. It runs a background process for the job, writes local log/result/lock files, and cleans up the lock file — these behaviors are scoped to the skill's directory and are expected for an async-worker pattern.