Skillv1.0.0

ClawScan security

Tencent VOD AIGC code helper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 12, 2026, 5:01 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: This is an instruction-only helper for integrating Tencent Cloud VOD AIGC APIs; its content, examples, and required credentials are consistent with that purpose, though the registry metadata omits declaring the API credentials the instructions say are needed.
Guidance: This is an instruction-only integration helper for Tencent Cloud VOD AIGC and appears to do what it says. Before installing or using: (1) confirm you will provide only the Tencent Cloud SecretId/SecretKey and the SubAppId required for your VOD operations; (2) do not hardcode credentials — use environment variables or a secrets manager as the docs recommend; (3) verify SDK versions referenced in examples and test in a safe environment (non-production) first; (4) note the metadata omission: the skill does not formally declare required credentials, so ensure the agent environment or your code supplies them explicitly and securely. If you need higher assurance, ask the publisher for a version that declares required env vars and includes provenance/homepage information.

Purpose & Capability: noteThe skill's name, description, and SKILL.md consistently describe Tencent Cloud VOD AIGC integration (CreateAigcImageTask, CreateAigcVideoTask, etc.). However, the runtime instructions explicitly say callers need Tencent Cloud API credentials (SecretId/SecretKey) and SubAppId, but the registry metadata does not list any required env vars or primary credential — a mismatch between documentation and metadata.
Instruction Scope: okSKILL.md focuses on calling Tencent VOD AIGC APIs, task polling, callback handling, and SDK examples. It does not instruct the agent to read unrelated system files, exfiltrate data, or contact third-party endpoints outside Tencent documentation and referenced official resources.
Install Mechanism: okNo install spec and no code files (instruction-only). Lowest-risk category: nothing is downloaded or written to disk by the skill itself.
Credentials: noteThe guidance rightly requires Tencent Cloud API credentials and SubAppId for the tasks described — these are proportionate to the skill's purpose. But the registry metadata lists no required env vars or primary credential, so the skill bundle does not formally declare the secrets it expects callers to provide. This is an inconsistency to be aware of.
Persistence & Privilege: okalways is false and the skill is user-invocable; it does not request elevated/always-on privileges or claim to modify other skills or system configuration.