ClawHub
Back to skill
v1.0.0

Runwayml

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:09 AM.

Analysis

This is a straightforward Runway API instruction skill; it requires a Runway API key, an SDK install, and sending prompts or media to Runway, all of which are disclosed and aligned with its purpose.

GuidanceBefore installing, make sure you are comfortable setting a Runway API key, installing the npm SDK, sending prompts or media to Runway/partner models, and spending Runway credits for generation tasks.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
Install the Node.js SDK: `npm install @runwayml/sdk`

The setup step pulls an external npm package without pinning a version; this is user-directed and purpose-aligned, but it is still a package provenance consideration.

User impactThe installed SDK version and its dependencies come from npm at install time.
RecommendationInstall from the trusted npm registry, consider pinning a known-good version or using a lockfile, and review the package if your environment is sensitive.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
compatibility: Requires internet access and a RunwayML API key stored as RUNWAYML_API_SECRET environment variable.

The skill needs a service credential to act on the user's Runway account; this is expected for the stated purpose, but users should notice that the registry metadata did not declare the credential requirement.

User impactUsing the skill requires providing a Runway API key, and generated tasks may use the user's account quota or credits.
RecommendationStore RUNWAYML_API_SECRET only in a trusted environment, avoid sharing logs that might expose it, and review Runway account permissions and billing before use.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
Generate AI videos, images, and audio using Runway's API... supporting ... third-party models from Google (Veo) and ElevenLabs.

The skill discloses that prompts and media are sent to Runway and may involve partner models; this is central to the media-generation purpose, but it creates an external data boundary users should understand.

User impactPrompts, images, audio, or video submitted for generation may leave the local environment and be processed by Runway or model partners.
RecommendationDo not submit confidential, regulated, or third-party media unless that is acceptable under Runway's and any partner providers' data terms.