Back to skill
Skillv1.0.1
ClawScan security
Vpick Ai Video Creator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 28, 2026, 7:18 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This instruction-only skill is internally consistent with its stated purpose (using the VPick cloud service via an MCP connector); it requires no local installs or env vars, but the MCP link you supply is a powerful credential and user media/prompts will be sent to VPick and routed to third‑party model providers.
- Guidance
- This skill delegates all work to the VPick cloud. Before installing or connecting: (1) treat your MCP link as a secret (it grants generation/manage rights in your account) and do not paste it into public chats; (2) review VPick's privacy and billing policies — prompts and uploaded media are sent to VPick and relayed to third‑party model providers; (3) avoid uploading sensitive personal or proprietary data unless you accept that it will be processed by VPick and external models; (4) prefer testing with a throwaway account/limited credits first; (5) verify the VPick domain and service reputation independently (and rotate/regenerate the MCP token if you suspect misuse).
Review Dimensions
- Purpose & Capability
- okThe name/description (AI video studio) match the runtime instructions: all actions are calls against the VPick service (canvas/project/node operations, generation, upload, export). Nothing in the SKILL.md requires unrelated credentials, binaries, or system access.
- Instruction Scope
- noteInstructions stay within the VPick production workflow (create/list canvas, add nodes, generate media, combine/export). However, the skill explicitly instructs sending user prompts and uploaded media to VPick, which then forwards them to third‑party model providers — a privacy/data‑sharing consideration rather than an incoherence.
- Install Mechanism
- okNo install spec or code is included (instruction-only), so nothing is downloaded or written to disk by the skill itself.
- Credentials
- okNo environment variables, local API keys, or config paths are requested by the skill. Authentication is handled by the MCP connector URL (not listed as an env var), which is proportionate to a cloud-hosted service integration.
- Persistence & Privilege
- okThe skill does not request always:true or other elevated persistence. Autonomous invocation is allowed by default (platform normal), and there is no indication the skill modifies other skills or system-wide settings.