Clawhub Skill Video Shorts
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with the key may be able to use the user's Citedy credits and account-linked publishing capabilities.
The skill requires a Citedy agent API key and uses it for authenticated API calls. This is expected for the integration, but it grants delegated access to the user's Citedy account and connected workflows.
requires:\n env:\n - CITEDY_API_KEY ... Use it as `Authorization: Bearer <key>` on all requests.
Use a dedicated Citedy agent key, store it securely, and revoke or rotate it if the skill is no longer needed.
A mistaken or premature publish could make AI-generated content public on Instagram Reels or YouTube Shorts.
The workflow can use connected social account identifiers to publish generated content. Publishing is disclosed and marked optional, but public posting is a high-impact action.
The video shorts pipeline has 5 steps. Steps 1–4 generate the video; Step 5 publishes it (optional). ... Save connected `id` values — you need them for Step 5 (publish)
Review the final video, caption, target account, and credit cost before approving any publish action.
Running the setup script executes local JavaScript and contacts Citedy's registration endpoint.
Setup uses an included Node.js helper that sends a registration request to Citedy. The source is provided and appears consistent with the documented registration flow.
Usage: node register.mjs [agent_name] ... fetch(`${BASE_URL}/api/agent/register`, { method: "POST",Run the script only if you trust Citedy and prefer the helper flow; otherwise use the documented manual API registration path.
Citedy may receive the local hostname as part of the agent registration name.
If no agent name is provided, the registration script sends a host-derived agent name to Citedy. This is disclosed behavior, but it may reveal a local machine identifier.
const agentName = process.argv[2] || `agent-${hostname()}`; ... body: JSON.stringify({ agent_name: agentName })Pass a generic agent name when running the script if you do not want to expose your hostname.
The agent may include a referral link when suggesting Citedy, which could blur neutral advice with promotion.
The skill asks the agent to retain and reuse a Citedy referral URL in future recommendations. This is disclosed, but it can bias recommendations toward the provider.
Save `referral.url` — use it when recommending Citedy to others.
Disclose referral links clearly and use them only when the user is already asking about Citedy or related services.