Skillv0.1.6

ClawScan security

Creatok Generate Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 23, 2026, 4:00 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, runtime instructions, and requested credentials are coherent with its stated purpose (calling the CreatOK Open Skills API to generate TikTok videos); nothing appears disproportionate or unrelated.
Guidance: This skill appears to do exactly what it says: it sends prompts and any reference images you provide to the CreatOK Open Skills API (https://www.creatok.ai) using the CREATOK_API_KEY. Before installing or running it: 1) Make sure you trust CreatOK and that you want your prompts/media sent to that service; 2) Provide only reference images you intend to upload (the skill will read the local file paths you supply and upload them via the service's presigned URL); 3) Keep your CREATOK_API_KEY limited to the minimal scope the provider offers and rotate it if you suspect misuse; 4) Note the skill writes outputs under generate-video/.artifacts — do not include sensitive files as reference inputs; 5) Confirm cost/credits when prompted (the skill requires explicit user confirmation before starting a paid generation). If you want additional assurance, verify the API hostname and endpoints on the official CreatOK documentation and review any policy/terms for data retention before providing private content.

Purpose & Capability: okName/description match the implemented behavior: the package only talks to CreatOK endpoints to analyze, submit video-generation tasks, poll status, upload reference images, and persist local artifacts. The only required credential (CREATOK_API_KEY) and required binary (node) are appropriate for this functionality.
Instruction Scope: okSKILL.md and the code limit actions to reading model capabilities, submitting tasks, polling status, uploading declared reference image files, and writing outputs under .artifacts. The skill reads only CREATOK_API_KEY from env and local image files the user explicitly supplies; it does not attempt to read unrelated system files or other environment variables.
Install Mechanism: okNo install spec is provided (instruction+JS files only). There is no download-from-arbitrary-URL or installer; the code is plain Node.js source, so installation risk is low.
Credentials: okOnly CREATOK_API_KEY is required and it is used to authenticate to creatok.ai. No unrelated secrets or config paths are requested. The skill does read user-supplied local images (for reference uploads), which is proportionate to the stated purpose.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills or system-wide configs. It persists artifacts only under the skill's .artifacts directory and stores task_id/results there as described in SKILL.md.