Back to skill
Skillv1.1.0
ClawScan security
LovTrip Video to Article · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 8, 2026, 5:30 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions align with its description: it sends a public YouTube URL (and the video data fetch request) to Google Gemini using a single GEMINI_API_KEY to generate an article — nothing requests unrelated credentials or installs extra tooling.
- Guidance
- This skill appears coherent and does what it says: it will send the provided YouTube URL (and thus the video for processing) to Google Gemini using your GEMINI_API_KEY to generate an article. Before installing/using it: 1) Only use with public or shareable videos — private or copyrighted content will be sent to Google. 2) Protect your GEMINI_API_KEY (don't paste it into public places); prefer setting it in a secure environment rather than exposing it in shared shell histories or logs. 3) Be aware of cost and content-moderation implications of calling Gemini (long videos may consume more quota). 4) If you need assurance about how the video is delivered (direct URL fetch vs. required download), test in a safe environment. If you want stricter privacy, avoid sending sensitive videos to third-party APIs.
Review Dimensions
- Purpose & Capability
- okThe name/description (YouTube video → article) matches the provided script and SKILL.md. The repo and instructions only require a GEMINI_API_KEY and either an MCP wrapper or the included Node script; these are expected for calling Google Gemini.
- Instruction Scope
- noteSKILL.md and the script stay within scope: they ask for a YouTube URL and a GEMINI_API_KEY, then call the Gemini generateContent API. Note: the script places the video URL into a fileData.fileUri field so the Gemini service (Google) will be asked to fetch/process the video — this means the video content (and its URL) is transmitted to Google. That is coherent with the stated purpose but is privacy-relevant and worth the user's attention.
- Install Mechanism
- okNo install spec is provided and the skill is instruction-only with a single Node.js script. There is no network download/install of third-party artifacts by the skill itself, which is the lowest-risk install model.
- Credentials
- noteOnly GEMINI_API_KEY is required and is used as the API key in the generated request URL — this is proportionate to calling the Google Gemini API. Minor caution: embedding API keys in URL query parameters may appear in logs/proxies; avoid exposing the key in shared logs or public command histories.
- Persistence & Privilege
- okThe skill does not request persistent/always-on privileges, does not modify other skills or system-wide settings, and is not force-included. Autonomous invocation is allowed by default but not combined with other concerning privileges here.