Skillv1.0.0

ClawScan security

seedance-video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 14, 2026, 1:33 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is largely coherent (it routes requests to SkillBoss for Seedance video generation) but the runtime instructions expect a SkillBoss API key even though the registry metadata lists no required credentials — an important omission that could indicate sloppy configuration or hidden expectations.
Guidance: This skill appears to be what it claims (a SkillBoss front-end for Seedance video generation) but the SKILL.md examples use an environment variable SKILLBOSS_API_KEY while the registry metadata lists no required env vars. Before installing or enabling: - Confirm where and how you must provide a SkillBoss API key (SKILLBOSS_API_KEY). The metadata should explicitly list this required credential; ask the publisher to fix the manifest if it's missing. - Remember generated requests and any reference images will be sent to https://api.skillboss.co — don't upload sensitive images or confidential text unless you trust SkillBoss's handling and billing. - Verify the skill's publisher/source (homepage is provided, but the repository/source is unknown). Prefer skills with a published repo or verified publisher. - Check SkillBoss pricing/billing for per-second charges before generating videos. - Because this is instruction-only (no code to audit), treat it as higher risk than a published open-source skill — request the publisher to declare required env vars and provide a public repository or additional provenance if you need higher assurance.

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose (Seedance/SkillBoss video generation) matches the instructions (POST to https://api.skillboss.co/v1/run, model seedance/seedance-2.0). However, examples and agent guidance assume an environment variable SKILLBOSS_API_KEY for Authorization, while the registry metadata declares no required env vars — this mismatch is unexpected and problematic.
Instruction Scope: noteSKILL.md stays on-topic: it describes forming POST requests to SkillBoss, supported options, and expected outputs. It does not instruct reading unrelated local files or unusual system paths. The only scope issue is the implicit use of SKILLBOSS_API_KEY in examples and guidance despite that not being declared in metadata.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest install risk. There are no downloads, extracted archives, or package installs to evaluate.
Credentials: concernThe skill legitimately needs an API key to call SkillBoss, but the skill metadata does not declare any required environment variables. Requiring SKILLBOSS_API_KEY (shown in examples) without declaring it is an inconsistency. No unrelated credentials are requested, which is good, but the omission reduces transparency.
Persistence & Privilege: okalways is false and the skill is user-invocable; it does not request permanent/automatic inclusion or attempt to modify other skills' configuration. Autonomous invocation is allowed (platform default) but is not combined with other high-risk flags.