LibTV Skill Pro
ReviewAudited by ClawScan on May 13, 2026.
Overview
The skill mostly matches its LibTV image/video purpose, but it should be reviewed because its HTML export can include unescaped session content and it uses a LibTV account key.
Install only if you trust the publisher and need LibTV automation. Use a revocable LibTV access key, verify the API base URL, review batch jobs before running them, and avoid opening HTML exports from untrusted sessions unless the export is sanitized.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Opening an exported HTML report from an untrusted or compromised session could run browser content the user did not intend.
Session content returned from the API is inserted into an HTML export without HTML escaping or sanitization, so a crafted message containing HTML or script could execute when the user opens the exported report.
content_html = content.replace("\n", "<br>") ... html_parts.append(f'<div>{content_html}</div>')Escape message content and attribute values before writing HTML, consider a restrictive Content Security Policy, and only open HTML exports from sessions you trust until this is fixed.
Anyone who can run the skill with this environment variable can create/query sessions and perform LibTV project operations under that key.
The skill uses the user's LibTV access key as a bearer token for API requests, which is expected for this integration but grants account/session authority.
ACCESS_KEY = os.environ.get("LIBTV_ACCESS_KEY", "") ... "Authorization": f"Bearer {ACCESS_KEY}"Use a revocable or least-privileged LibTV key if available, keep it out of logs, and verify OPENAPI_IM_BASE/IM_BASE_URL before running because the bearer token is sent to the configured endpoint.
A large task list or high worker count may create many generation jobs and incur cost or quota usage.
The skill can launch multiple LibTV generation tasks concurrently from a file or repeated message arguments; this is a disclosed advanced workflow but can consume service resources or credits.
parser.add_argument("--workers", type=int, default=5 ...); ThreadPoolExecutor(max_workers=args.workers)Review task files before running batch mode and start with low concurrency unless you intentionally want bulk generation.
Project identifiers and notes may remain on the device after use and could be read by other local users or future tasks.
The skill persists local project metadata, including current project UUIDs and descriptions, outside the skill directory.
PROJECTS_FILE = os.path.expanduser("~/.libtv_projects.json") ... json.dump(data, f, ensure_ascii=False, indent=2)Delete ~/.libtv_projects.json if you no longer want local project history, and avoid putting sensitive information in project descriptions.
It may be harder to confirm that the installed package exactly matches the intended publisher and registry entry.
The internal metadata names a different owner/slug than the supplied registry metadata for libtv-skill-pro, which is a provenance inconsistency even though the runtime code is otherwise coherent.
"ownerId": "kn7b7895jyyaym0gx50zm6n3k183bh13", "slug": "libtv-skills"
Verify the publisher/source before installing, especially because the skill requires a LibTV access key.