Skillv0.1.1

ClawScan security

YouTube Thumbnail Generator with Nano Banana · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 8, 2026, 12:16 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and required credentials are coherent with a YouTube thumbnail generation workflow that calls Gemini (Nano Banana) — nothing in the bundle requests unrelated privileges or appears to exfiltrate data.
Guidance: This package is internally consistent with its stated purpose, but review before running: (1) The scripts will send whatever you pass as copy to Google's generativelanguage API using your GEMINI_API_KEY/GOOGLE_API_KEY — avoid sending private or sensitive data. (2) Ensure the API key you provide has appropriate billing/usage controls and is stored securely. (3) The scripts write files to an outputs/ directory; run them in a workspace you control (or a sandbox) if you are cautious. (4) Run the included selftest (scripts/selftest.py) and inspect the scripts if you want to confirm behavior; the code is small and uses only standard library network calls to the official generativelanguage endpoint. (5) If you need tighter assurance, restrict the key scope, rotate keys after testing, or run the code in an isolated environment.

Purpose & Capability: okName/description match the implementation: scripts build a thumbnail plan with a Gemini text model and optionally call Gemini's image endpoint. Requested binaries (python3) and environment variables (GEMINI_API_KEY / GOOGLE_API_KEY) are appropriate and expected for this functionality.
Instruction Scope: okSKILL.md instructs the agent to analyze input copy, build prompts, and optionally call local scripts that POST to Google's generativelanguage endpoint. The instructions reference only the provided scripts, output paths under outputs/, and the declared API keys — they do not instruct reading unrelated system files or other credentials.
Install Mechanism: okThere is no external install spec (instruction-only / local scripts), so nothing is downloaded from remote URLs. The included Python scripts are self-contained and use only the standard library for network calls; no third-party package installs or external archives are pulled.
Credentials: okOnly GEMINI_API_KEY (primary) or GOOGLE_API_KEY are required and are used to authenticate with Google's generativelanguage API. No unrelated secrets or many credentials are requested. The credential usage is proportional to the described purpose.
Persistence & Privilege: okThe skill is not forced always-on (always: false) and does not modify other skills or global agent settings. It writes outputs to local files under outputs/, which is expected behavior for a generator script.