Skillv0.0.10

ClawScan security

Giggle Generation Aimv · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 16, 2026, 2:34 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, dependencies, and environment requirements align with its stated purpose (calling Giggle.pro to generate AI music videos); nothing in the bundle appears to be trying to do unrelated work or exfiltrate secrets beyond the required API key.
Guidance: This skill appears to do what it says: it calls Giggle.pro using the GIGGLE_API_KEY to create and run MV generation jobs. Before installing, verify you trust Giggle.pro and understand billing: the workflow will poll for progress and can automatically call the pay endpoint (which could incur charges on your account). Store the API key securely (avoid pasting it in chat), test with a small/cheap job first, and be prepared to revoke the API key if you see unexpected charges or behavior. If you need stricter control, ask the maintainer to expose an explicit confirmation step before invoking any payment endpoint.

Review Dimensions

Purpose & Capability: okName/description match what is implemented: the Python script calls https://giggle.pro endpoints to create projects, submit MV tasks, poll progress, and pay. The single required env var is GIGGLE_API_KEY, which is exactly what the script uses as an auth header. Required binary (python3) and pip package (requests) are proportional to the functionality.
Instruction Scope: noteSKILL.md instructs the agent to call the trustee-mode API and to run a single workflow function that creates a project, submits a task, polls progress, and may auto-handle payment. This is consistent with MV generation, but automatic payment handling and long-polling (up to 1 hour) are behaviors users should be aware of, since they may cause charges or long-running network activity. The skill only reads GIGGLE_API_KEY from the environment (consistent with requires.env).
Install Mechanism: okThis is instruction-only with an included Python script; there is no remote download or install-from-URL. The only runtime dependency is the requests package (declared in requirements.txt and SKILL.md), which is appropriate and low-risk.
Credentials: okOnly one credential (GIGGLE_API_KEY) is required and it is used as the script's API key. No other secrets, unrelated credentials, or config paths are requested. The primaryEnv declaration matches actual usage in the code.
Persistence & Privilege: okThe skill is not marked always:true and does not request system-wide configuration changes. It runs as a client against the Giggle API and does not modify other skills or global agent configuration.