Back to skill
Skillv2.23.0
ClawScan security
Video Translate · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 13, 2026, 6:13 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and runtime instructions align with its stated purpose of translating/dubbing videos via HeyGen and only require the HeyGen API key; nothing in the package suggests unrelated or hidden behavior.
- Guidance
- This skill appears internally consistent and only needs your HEYGEN_API_KEY so it can call HeyGen's video_translate API. Before installing: (1) Be aware any video URLs or uploaded content will be sent to HeyGen — avoid sending sensitive or private videos unless you trust the service and your account's settings; (2) Use a least-privilege or scoped API key if HeyGen supports it and rotate/revoke keys when not needed; (3) If you plan to use callback_url, ensure the callback target is trusted (callback endpoints can be used to exfiltrate metadata); (4) Review HeyGen's privacy/TOS to understand retention and processing of uploaded media. If you need assurance about exact network flows or internal logging, request the skill author provide concrete request/response examples and any webhook handling details.
Review Dimensions
- Purpose & Capability
- okName/description (video translation & dubbing) match the declared requirement (HEYGEN_API_KEY) and the SKILL.md which instructs calls to HeyGen's video_translate endpoints. Required credential is appropriate and expected.
- Instruction Scope
- okSKILL.md contains concrete curl/TypeScript/Python examples that call HeyGen endpoints, poll status, and download results. It does not instruct reading unrelated files, accessing other environment variables, or sending data to endpoints outside HeyGen (except optional callback_url which is a HeyGen feature).
- Install Mechanism
- okNo install spec or code files — instruction-only skill. Lowest-risk approach: nothing is downloaded or written to disk by the skill package itself.
- Credentials
- okOnly HEYGEN_API_KEY is required and declared as the primary credential. That is proportionate for a skill that calls HeyGen APIs. No unrelated secrets, config paths, or broad credential requests are present.
- Persistence & Privilege
- okalways is false (not force-included). Autonomous invocation is allowed (platform default) but not combined with elevated privileges. The skill does not request persistent system changes or other skills' configs.