Web2Labs Studio
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its video-editing purpose, but its setup flow can regenerate existing API keys and its watch/auto-spend automation deserves careful review before use.
Install only if you are comfortable uploading selected videos to Web2Labs and using credits through the skill. Before setup, verify whether regenerating your API key could break other integrations, and consider setting WEB2LABS_SPEND_POLICY=explicit, especially before batch or watch-mode automation.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Completing setup could revoke an existing Web2Labs API key and break other scripts or integrations that rely on the old key.
The setup flow can replace an existing Web2Labs API key rather than only saving or using a user-provided key, and this account-impacting behavior is not clearly highlighted in the SKILL.md setup description.
regenerateIfExists: if the user already has an API key, revoke it and create a new one ... body: JSON.stringify({ regenerateIfExists: true })Before running setup, check whether you already use a Web2Labs API key elsewhere; the vendor should require explicit confirmation before regenerating or revoking an existing key.
If enabled, the skill may keep processing future channel videos and consuming credits without you approving each individual job.
Watch mode extends the skill from a one-shot edit into ongoing monitoring and automatic processing, but the provided artifact excerpt does not clearly show stop controls, maximum items, or per-video approval.
`studio_watch`: Watch a YouTube or Twitch channel for new videos and auto-process them.
Use watch mode only with explicit limits, monitor credit usage, and prefer an explicit spend policy until the workflow and stop behavior are clear.
Normal editing, rerendering, thumbnails, or automation may consume credits automatically within configured limits.
The default spend policy permits some paid credit-consuming actions without prompting, although the artifacts disclose caps and confirmation behavior.
`auto` (default): proceed without prompt unless auto-spend caps are exceeded.
Set WEB2LABS_SPEND_POLICY to `explicit` or `smart` if you want stronger budget control.
URL processing depends on a locally installed third-party downloader and will download media before uploading it to Web2Labs.
The skill invokes the local yt-dlp binary for URL-based video downloads. This is expected for the stated URL-input workflow and uses execFile with fixed arguments rather than arbitrary shell execution.
const { stdout } = await execFileAsync("yt-dlp", ["--version"])Install yt-dlp only from a trusted source and only process content you have rights to edit.
Project completion metadata may be sent to the webhook URL you provide.
The skill can configure Web2Labs to send completion callbacks to a user-supplied URL; this is disclosed and includes optional signing, but it is still an external data flow.
`studio_upload` accepts `webhook_url` and optional `webhook_secret` for `project.completed` callbacks.
Use only webhook endpoints you control and configure a webhook_secret so callbacks can be verified.