Skillv1.0.0

ClawScan security

Viral Video Factory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 7:48 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior (scraping via Apify, producing videos via InVideo, and using Claude) generally matches its description, but the package metadata omits required credentials and leaves ambiguous how/where third‑party APIs and scraped data are accessed — that mismatch warrants caution.
Guidance: This skill appears to do what it promises (scrape trends, generate scripts, and produce videos) but the package metadata fails to list the API keys the instructions clearly require. Before installing or running: 1) Ask the publisher which credentials are required and how they are consumed (Apify, InVideo, and Claude), and whether the agent will store them. 2) Verify where scraped data and produced videos are sent/stored and check the services' privacy/retention and copyright policies. 3) Use limited-scope API keys or separate service accounts where possible, and monitor billing/usage. 4) If you need autonomous runs, confirm how often it will scrape external platforms to avoid unexpected data transfer or rate-limit/billing issues. 5) Because the source is unknown and there's no homepage, prefer caution — require publisher/source verification before granting credentials.

Review Dimensions

Purpose & Capability: concernThe described capabilities (scraping viral content, analyzing patterns, and producing videos via InVideo) are coherent with the skill's purpose. However, the registry metadata lists no required environment variables or credentials, while the SKILL.md explicitly expects an Apify token and an InVideo API key in its INPUT example. Additionally, the skill claims to use Claude AI but provides no explicit instruction about how to authenticate to Claude (no declared env var or input). The omission of these required credentials in metadata is inconsistent and concerning.
Instruction Scope: noteThe SKILL.md stays focused on scraping social platforms, analyzing trends, generating scripts, and producing videos. It does not instruct the agent to read local files, secrets, or unrelated system state. It does, however, instruct network activity (Apify scrapers, InVideo API calls, and use of Claude) and implies transmission of scraped platform data and content assets to third-party services — users should confirm what exact data is sent, where it is stored, and retention/ownership policies.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest install risk. There is no embedded binary download or archive extraction.
Credentials: concernThe SKILL.md requires API credentials (apify_token, invideo_api_key) in its input JSON, and references Claude AI usage, but the registry metadata declares no required env vars or primary credential. This mismatch means the skill as published does not transparently communicate the secrets it needs. Requesting API keys for scraping and video production is proportionate to the stated functionality, but the missing declarations and ambiguous handling of the Claude credential are red flags.
Persistence & Privilege: okThe skill does not request always:true, does not declare system-level config paths, and is user-invocable only. It does not appear to require persistent system privileges beyond making outbound API calls.