ClawHub
Back to skill
v1.0.0

AI Video Gen CN

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:53 AM.

Analysis

This appears to be a straightforward AI video-generation skill, but users should notice that it uses paid third-party API keys, installs Python packages, and runs FFmpeg even though the registry metadata under-declares those requirements.

GuidanceInstall only if you are comfortable providing API keys to the supported media providers and sending your prompts to those services. Use a virtual environment, set provider spending limits, verify FFmpeg and dependencies, and double-check output filenames because the scripts may overwrite generated media files.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
add_voiceover.py
cmd = ['ffmpeg', '-y', '-i', video_path, '-i', audio_path, ... output_path]; subprocess.run(cmd, capture_output=True, text=True, check=True)

The skill runs FFmpeg as a local subprocess using user-provided media paths. This is expected for video editing and does not use a shell, but the '-y' flag can overwrite output files.

User impactRunning the commands can create or overwrite local video/audio files at the paths you provide.
RecommendationReview input and output paths before running, avoid important existing filenames, and keep FFmpeg installed from a trusted source.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceMediumStatusNote
requirements.txt
openai>=1.0.0
replicate>=0.20.0
requests>=2.31.0
pillow>=10.0.0
python-dotenv>=1.0.0

The installation path uses floating lower-bound Python dependencies rather than pinned versions or a lockfile. This is common for small skills, but it reduces reproducibility.

User impactFuture installs may receive newer dependency versions than the author tested.
RecommendationInstall in a virtual environment, review packages before installing, and consider pinning exact versions if you need reproducible behavior.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
OPENAI_API_KEY=sk-... ... REPLICATE_API_TOKEN=r8_... ... LUMAAI_API_KEY=luma_... ... RUNWAY_API_KEY=... ... ELEVENLABS_API_KEY=...

The skill asks for provider API credentials that may access paid accounts or consume credits. This is expected for image, video, and voice generation, but users should recognize the credential boundary.

User impactThe skill can use your OpenAI, Replicate, LumaAI, Runway, or ElevenLabs accounts when you run generation commands, which may incur costs.
RecommendationUse dedicated API keys with spending limits where possible, store them as secrets or in a local .env file, and revoke keys you no longer need.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusNote
generate_video.py
client.images.generate(... prompt=prompt ...); response = client.audio.speech.create(... input=text); requests.post("https://api.lumalabs.ai/dream-machine/v1/generations", headers=headers, json=data)

User prompts and narration text are sent to external AI providers. This is central to the skill's purpose and is disclosed, but sensitive prompt content leaves the local environment.

User impactPrivate details included in prompts or voiceover text may be processed by third-party services.
RecommendationAvoid putting confidential, regulated, or personal information in prompts unless you accept the relevant provider's data and retention policies.