Skillv0.0.10

ClawScan security

Giggle Generation Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 16, 2026, 2:37 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests, instructions, and included script are consistent with a video-generation integration that uses a single giggle.pro API key and python3; nothing requests unrelated credentials or installs external code.
Guidance: This skill appears coherent: it only needs your giggle.pro API key and runs a bundled python script to submit/query generation tasks. Before installing, confirm you trust giggle.pro and are comfortable that the agent will forward signed video URLs (they contain signature query params and are time-limited). Be careful when providing base64 frames or prompts that include sensitive data (those will be transmitted to the giggle.pro service). Note there is a minor coding inconsistency in model default durations (wan25 default is 0 in code), which may cause an error if you rely on defaults — specify duration explicitly for that model. If you want extra caution, create an API key with limited scope/quotas on giggle.pro or test with a throwaway key first.

Review Dimensions

Purpose & Capability: okName/description (text-to-video, image-to-video) align with required binary (python3), required env (GIGGLE_API_KEY), included script, and network endpoint (https://giggle.pro). The declared primary credential (GIGGLE_API_KEY) is appropriate for the stated purpose.
Instruction Scope: okSKILL.md instructs submitting tasks and querying status via exec of scripts/generation_api.py and to store task_id in memory. The runtime instructions only reference the declared env var and the included script; they do not request unrelated files, credentials, or external endpoints beyond giggle.pro. Note: the agent will forward signed video URLs as-is, so those URLs (with signature query params) will be exposed to whomever the agent messages.
Install Mechanism: okNo install spec; this is an instruction-only skill with one bundled Python script and a small requirements.txt (requests). No downloads or archive extraction. Risk from install mechanism is minimal.
Credentials: okOnly GIGGLE_API_KEY is required and declared as primaryEnv. The script reads only that env var. No other tokens/keys/passwords are requested. This is proportionate for a hosted-generation API client.
Persistence & Privilege: okSkill is not always-enabled and does not request system-wide configuration changes. It asks the agent to store a task_id in memory (per SKILL.md), which is reasonable for tracking async jobs. The skill can be invoked autonomously (platform default) but that is expected for skills and is not combined with other high privileges here.