AI Image
ReviewAudited by ClawScan on May 10, 2026.
Overview
This image-generation skill mostly matches its purpose, but one helper can attach your skills.video API key to a caller-supplied full URL.
Install only if you trust skills.video and need this API integration. Before using custom endpoints or base URLs, verify they are on the intended skills.video host, and consider asking the maintainer to add host allowlisting so your API key cannot be sent elsewhere.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent or user supplies a malicious or mistaken full URL, the API key could be exposed and used to access the user's skills.video account or credits.
The helper allows a full URL and attaches the SKILLS_VIDEO_API_KEY bearer token to the request, so a non-skills.video URL could receive the credential.
help="SSE create endpoint path or full URL" ... if endpoint.startswith("http://") or endpoint.startswith("https://"): return endpoint ... "Authorization": f"Bearer {api_key}"Restrict endpoints/base URLs to https://open.skills.video or an explicit allowlist, require confirmation for custom hosts, and rotate the API key if it may have been sent to an unintended destination.
Using the skill can create remote generation jobs and consume skills.video credits.
The skill intentionally submits image-generation jobs and handles credit-related failures; this is purpose-aligned but can affect the user's remote account and paid credits.
Execute `POST /generation/sse/...` as default and keep the stream open ... If category is `insufficient_credits`, tell the user to recharge
Use it only for user-requested image generation, confirm expensive or repeated jobs, and avoid submitting private prompts or files unless the user is comfortable sending them to skills.video.