Back to skill
Skillv1.0.0
ClawScan security
video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 21, 2026, 7:06 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill appears to implement legitimate video-generation behavior, but there are inconsistencies between the declared metadata and the actual runtime requirements (missing API key declaration, undeclared Python dependency), so proceed only after verifying those gaps.
- Guidance
- This skill appears to do what it claims (call SkillBoss API Hub and download an MP4), but the package metadata is inconsistent: the script requires SKILLBOSS_API_KEY and Python + requests, yet the registry entry does not list the API key or Python dependency. Before installing/using: 1) Verify the publisher and that you trust api.skillbossai.com. 2) Ensure you set SKILLBOSS_API_KEY in a safe scope (this key can be abused to consume the account's quota). 3) Confirm your environment has the 'uv' runner, Python >=3.10, and the 'requests' package. 4) Be aware the script will upload prompt text and any reference images you provide to SkillBoss and will print a MEDIA: local path (which chat providers may expose). If you cannot verify the publisher or do not want to share prompts/images with SkillBoss, do not install it. To improve safety, ask the publisher to correct registry metadata to declare SKILLBOSS_API_KEY as the primary credential and to list Python/requests as runtime requirements.
Review Dimensions
- Purpose & Capability
- concernThe skill's name, description, SKILL.md, and script all align: it calls SkillBoss API Hub (/v1/pilot) to generate video and downloads the result. However, the registry metadata omitted the required SKILLBOSS_API_KEY (the script reads os.environ['SKILLBOSS_API_KEY']), and the script requires Python >=3.10 and the requests package which are not declared in the registry's required binaries/env/dependencies. This metadata mismatch is unexpected.
- Instruction Scope
- okSKILL.md instructs running the included script via the uv binary and documents the SKILLBOSS_API_KEY. The runtime actions are scoped to: POST to /v1/pilot, download the returned video URL, read optional local image files (up to 3), base64-encode them, and write an MP4 file. It does not read unrelated system files, other env vars, or other skill configs. It prints a MEDIA: line to allow automatic attachment; be aware that that will expose the local path to chat providers.
- Install Mechanism
- noteThis is instruction-only (no install spec). That's lower risk, but the script declares runtime Python and a requests dependency in comments; the SKILL.md only requires the 'uv' binary. The skill will fail or behave unexpectedly if Python/requests are not present — the absence of an install step or explicit dependency declaration is a packaging concern.
- Credentials
- concernThe script requires a single API credential (SKILLBOSS_API_KEY) which is proportionate to the stated purpose. However, the registry metadata lists no required env vars while SKILL.md explicitly documents SKILLBOSS_API_KEY and the script reads it directly. The skill's primary credential field is blank in the registry; that mismatch is a security/packaging inconsistency that should be corrected before use.
- Persistence & Privilege
- okThe skill does not request persistent/always-on presence (always: false) and does not modify other skills or global agent settings. Autonomous invocation is allowed by default but is not combined here with broad privileged access.