Back to skill
Skillv1.0.1
ClawScan security
Video Narrator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 8:00 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements, instructions, and dependencies are coherent with a TTS-for-video narrator: it only asks for the SenseAudio API key, Python/ffmpeg, and standard Python audio libraries and does not request unrelated credentials or system access.
- Guidance
- This skill appears coherent for generating voiceover tracks, but before installing: 1) Verify the origin and trustworthiness of the SenseAudio service (https://senseaudio.cn) and obtain an API key with least privilege. 2) Confirm your environment's installer mapping for 'uv'—ensure it will install requests and pydub from official PyPI rather than fetching code from an untrusted host. 3) Keep the API key out of logs and examples as the skill recommends. 4) Because pydub relies on ffmpeg, ensure your ffmpeg binary is the expected trusted system package. 5) If you need stronger assurance, review any runtime code the skill will actually execute (there are no code files bundled here) or run it first in an isolated/test environment.
Review Dimensions
- Purpose & Capability
- okName/description (video narration, timestamped segments, editor exports) align with requested items: SENSEAUDIO_API_KEY, python3, ffmpeg, requests, and pydub — all reasonable for producing and assembling TTS audio for video.
- Instruction Scope
- okSKILL.md instructions are scoped to preparing timed scripts, calling the SenseAudio TTS API, decoding returned audio, and optionally assembling clips locally. There are no instructions to read unrelated system files, exfiltrate extra data, or post data to endpoints outside senseaudio.cn.
- Install Mechanism
- okDeclared installs are two Python packages (requests, pydub) — typical and proportionate. The installer kind is 'uv' in metadata (unusual label in this manifest) but the packages themselves are standard PyPI libraries; no arbitrary URL downloads or archive extraction are used.
- Credentials
- okOnly a single credential is required (SENSEAUDIO_API_KEY) and it is clearly tied to the service the skill integrates with. The SKILL.md explicitly instructs to send the key only in the Authorization header and warns against logging or embedding it.
- Persistence & Privilege
- okSkill is not always-enabled, does not request permanent system presence, and does not instruct modifications to other skills or global agent settings.