ClawHub
Back to skill
v1.0.0

UGC Campaign Pipeline

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:36 AM.

Analysis

This appears to be a coherent UGC video-production workflow, with the main caveat that it chains other local media-generation tools and uses a provider API key.

GuidanceBefore installing, make sure you trust the dependent media-generation skills, understand that product images/scripts may be sent to external generation services, and confirm API-key use and output paths before running the full campaign pipeline.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
STEP 1: HERO IMAGE ... Tool: morpheus-fashion-design ... STEP 2: VARIATIONS ... Tool: multishot-ugc ... STEP 5: UGC VIDEOS ... Tool: veed-ugc (run 4 times) ... STEP 6: FINAL EDIT ... Tool: Remotion

The skill intentionally chains multiple generation and editing tools. This fits the stated pipeline purpose, but it means one user request can trigger several tool/provider operations.

User impactUsing the skill may run several media-generation steps and consume provider credits or produce multiple files before the final MP4 is ready.
RecommendationConfirm the product assets, number of generated variations/videos, and final output path before running the full pipeline.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceMediumStatusNote
SKILL.md
uv run ~/.clawdbot/skills/morpheus-fashion-design/scripts/generate.py ... uv run ~/.clawdbot/skills/multishot-ugc/scripts/generate.py ... uv run ~/.clawdbot/skills/veed-ugc/scripts/generate.py

The skill does not include code itself but instructs use of scripts from other installed skills. Those dependencies are part of the effective trust boundary.

User impactThe safety of the full workflow depends on the separately installed Morpheus, Multishot, VEED, and Remotion tooling.
RecommendationInstall and review those dependent skills/tools from trusted sources before using this pipeline.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
COMFY_DEPLOY_API_KEY="..." uv run ~/.clawdbot/skills/morpheus-fashion-design/scripts/generate.py

The workflow uses a provider API key placeholder for generation commands. This is expected for external media generation, but the registry requirements list no required environment variables.

User impactThe user's Comfy Deploy account or credits may be used when the generation steps run.
RecommendationUse an intended, scoped API key and verify the dependent generation skills before providing credentials.