v1.0.2

Hilight Video Generate

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:04 AM.

Analysis

This is a coherent video-generation MCP skill, but it uses a video-service API key, a local MCP gateway, and curl-based downloads, so users should verify the provider and protect the key.

GuidanceThis skill appears purpose-aligned and disclosed. Before installing, verify the mcporter/MCP service on localhost:10620 is the intended video provider, use a scoped API key if possible, confirm the .env file is not committed or shared, and approve downloads only for video tasks you recognize.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution

SeverityLowConfidenceHighStatusNote

SKILL.md

使用 `exec curl` 下载到本地 ... `exec curl -L -o ~/Downloads/video_task_abc123.mp4 "VIDEO_DOWNLOAD_URL"`

The skill instructs the agent to run local shell commands for downloading and checking the generated video file. This is purpose-aligned and user-triggered, but still writes a remote file locally.

User impactA generated video file will be saved to the local Downloads folder when the user requests a download.

RecommendationOnly download videos from expected task IDs/URLs, keep the destination path predictable, and do not execute downloaded files unless independently trusted.

Human-Agent Trust Exploitation

SeverityInfoConfidenceMediumStatusNote

SKILL.md

- **安全保证**: `.env` 不会被提交到版本控制（gitignore 排除）

The skill makes a safety assurance about .env exclusion. The provided file set does not show a .gitignore, so users should verify this protection rather than relying only on the claim.

User impactIf the .env file is copied into a project or not actually ignored, the API key could be accidentally committed or shared.

RecommendationConfirm that the .env file is excluded from any version control workflow and keep API keys outside shared project folders when possible.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

clawhub.json

"key": "VIDEO_API_KEY", "label": "视频生成平台 API Key（Bearer Token）", "secret": true, "writeEnvFile": ".env"

The setup asks for a bearer-token style credential and stores it in an environment file. This is expected for a video-generation API, but it grants account/API access.

User impactThe skill can use the provided video API key to create, query, and download video tasks, which may consume account quota or expose task history depending on the provider.

RecommendationUse a least-privilege video API key if available, keep it out of chat/logs, and rotate it if the skill is removed or the key may have been exposed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

SKILL.md

本技能依赖 mcporter 连接本地 MCP server（`http://localhost:10620/mcp`）... 具体工具名和参数以 MCP server 实际暴露为准。

The skill routes actions through a local MCP gateway and says actual tools depend on what that server exposes, so users should confirm the MCP server is the expected trusted one.

User impactProduct descriptions, image URLs, task IDs, and generated-video requests may pass through the local MCP server and then to the video provider.

RecommendationBefore use, verify that localhost:10620 is the intended mcporter/video-generation service and avoid sending confidential product data unless that provider is trusted.