Skillv1.3.3

ClawScan security

Jimeng AI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 25, 2026, 5:02 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and SKILL.md are a reasonable CLI for VolcEngine (Jimeng) image/video generation, but the package metadata omits the sensitive environment variables and there is no declared install spec — these mismatches warrant caution before installing or handing over credentials.
Guidance: Key things to consider before installing: - The skill legitimately needs VolcEngine credentials (VOLCENGINE_AK and usually VOLCENGINE_SK; VOLCENGINE_TOKEN for temporary STS). Do NOT provide cloud credentials unless you trust the source. The registry metadata omitted these required env vars — ask the publisher to correct that. - The package is TypeScript CLI code that will: run npm install (per README/SKILL.md), execute via ts-node, make authenticated HTTP requests to open.volcengineapi.com, and write param/response/taskId and generated media under ./output (using md5(prompt) as folder names). If you run it, do so in an isolated environment (container, VM, or dedicated workspace). - Prefer using temporary, least-privilege credentials (STS token) rather than long-lived secret keys. If possible create a short-lived, limited-scope VolcEngine key for testing. - Review the included scripts (common.ts, text2image.ts, text2video.ts) yourself or have a trusted reviewer check them; they appear to perform standard signing (SignerV4-like) and calls to VolcEngine. Watch for debug logging: enabling DEBUG may print request URLs (which include signatures). - Because the registry metadata is inconsistent (no declared env vars/install), ask the publisher for clarification or prefer a well-known published source (GitHub repo/homepage) before granting credentials or running npm install. Run the tool with minimal privileges and in isolation until you are comfortable.

Review Dimensions

Purpose & Capability: concernThe skill's name/description match the included TypeScript CLI code which calls VolcEngine Jimeng APIs. However the registry metadata says 'Required env vars: none' and 'Primary credential: none' while SKILL.md and the code clearly require VOLCENGINE_AK and typically VOLCENGINE_SK (and optionally VOLCENGINE_TOKEN). That metadata omission is an incoherence that could mislead users about credential needs.
Instruction Scope: noteRuntime instructions and scripts stay within the declared purpose: they submit tasks to VolcEngine, poll for results, decode base64 images, and save outputs. The scripts create per-prompt folders (md5(prompt)) and write param.json/response.json/taskId.txt and media files under an output directory. The code includes path-sanitization checks. This behaviour is expected for a CLI tool, but users should note that the skill writes files to the current working directory and will persist prompts and API responses locally.
Install Mechanism: concernThe skill has no install spec in registry metadata (instruction-only), but the package includes package.json, package-lock.json and TypeScript files and SKILL.md instructs running 'npm install' and 'npx ts-node ...'. That mismatch means installing will require fetching npm dependencies and executing shipped code, but the registry did not declare an install step — a transparency issue. The npm dependencies (axios, crypto-js, dev tooling) are common and from npmjs, not a direct red flag, but the lack of an explicit install spec increases risk because the platform's install automation may not run the expected dependency installation or sandboxing.
Credentials: concernThe only credentials the code requires are VolcEngine access credentials (VOLCENGINE_AK, VOLCENGINE_SK, optional VOLCENGINE_TOKEN), which are proportionate to calling the provider API. However the registry metadata does not declare these required env vars while SKILL.md and code require them; that omission is a mismatched declaration and a meaningful security concern because users might grant credentials unintentionally. The number of env vars requested is small and appropriate for the service, but they are sensitive (AK/SK) and should be clearly declared.
Persistence & Privilege: okalways:false and no special OS restrictions — the skill does not request permanent presence or elevated agent/system privileges. It writes files under the current working directory (output/...), which the scripts protect against path traversal. Autonomous invocation (model invocation) is allowed by default and is not by itself a red flag here.