Back to skill
Skillv1.0.1
ClawScan security
SiliconFlow Video Gen · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 15, 2026, 11:49 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with a video-generation integration: it requires one provider API key, reads an OpenClaw config for that key, and sends generation requests to api.siliconflow.cn; minor metadata mismatches were found but nothing indicates malicious behavior.
- Guidance
- This skill appears to do what it says: it needs a SiliconFlow API key and will send prompts (and optional image URLs) to api.siliconflow.cn to request video generation. Before installing or providing an API key: 1) Verify the SiliconFlow API domain (api.siliconflow.cn) is the legitimate service you expect. 2) Prefer to create a restricted API key (scoped or rate-limited) rather than using a high-privilege key. 3) Review scripts/generate.py yourself (it’s short and readable) to confirm there are no additional network destinations. 4) Correct the metadata mismatch (registry-level 'required env' vs skill.json) or ask the publisher to fix it — mismatched metadata is usually a bookkeeping error but should be clarified. 5) If you need stricter isolation, run the script in a sandbox or environment with only the minimal network and file access necessary.
Review Dimensions
- Purpose & Capability
- noteThe skill's code, SKILL.md, README, and skill.json all describe a SiliconFlow video-generation integration and require a SILICONFLOW_API_KEY — this is appropriate for the stated purpose. Minor inconsistencies exist in the registry header: the top-level summary said "Required env vars: none" and "Homepage: none", while skill.json and SKILL.md declare SILICONFLOW_API_KEY as required and skill.json includes a homepage. These metadata mismatches are likely bookkeeping issues rather than malicious intent, but they should be corrected.
- Instruction Scope
- okSKILL.md and the script limit actions to reading the SILICONFLOW_API_KEY (env or ~/.openclaw/openclaw.json), building a JSON request with the user prompt (and optional image URL), and POSTing to https://api.siliconflow.cn/v1/video/submit. The script does not attempt to read other files, credentials, or transmit data to third-party endpoints. Using curl via subprocess is expected here and aligns with the described functionality.
- Install Mechanism
- okThere is no automated install spec included (instruction-only install via 'npx clawhub install' or manual clone). No downloads from third-party URLs or archive extraction are present in the package. The presence of a single Python script and docs means nothing arbitrary will be written or executed at install time beyond the user's explicit install action.
- Credentials
- noteThe only secret the skill requires is SILICONFLOW_API_KEY, which is proportionate for calling the SiliconFlow API. One note: the top-level registry metadata reported 'Required env vars: none' despite skill.json and SKILL.md declaring SILICONFLOW_API_KEY as required — this mismatch should be resolved. There are no other credentials or unrelated environment variables requested.
- Persistence & Privilege
- okThe skill does not request permanent presence (always:false) and does not modify other skills or system-wide settings. It uses subprocess execution (curl) to call the API, which is expected for this use case. There is no indication of elevated privileges or persistent background behavior.