Back to skill
Skillv1.0.0
ClawScan security
volcengine-video-generate · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 11, 2026, 9:35 AM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill mostly does what it says (generates video by calling a Volcengine Ark SDK and downloading the result) but has mismatches between its declared requirements and its runtime behavior — notably undeclared/ambiguous credential handling in SKILL.md vs. registry metadata.
- Guidance
- This skill appears to be a simple wrapper over Volcengine's Ark content-generation API and downloads the resulting video, which aligns with its stated purpose. However: (1) the registry lists no required environment variables but the script needs an API key (MODEL_VIDEO_API_KEY or ARK_API_KEY) — be prepared to provide a valid key before running; (2) SKILL.md claims an additional fallback using VOLCENGINE_ACCESS_KEY and VOLCENGINE_SECRET_KEY, but that logic is not present in the code — treat that claim as inaccurate; (3) the script will send your text prompt and any provided image (it may convert a local image to a base64 data URI) to the Ark API and will download the returned video URL — only use with a trusted API endpoint and avoid embedding secrets in prompts or image metadata; (4) source and homepage are unknown — if you need stronger assurance, request provenance (author, official repo, or signed release) or run the script in an isolated environment. If you accept these caveats and can supply the required API key, the skill is usable; otherwise proceed cautiously or seek a version with clearer credential handling and provenance.
Review Dimensions
- Purpose & Capability
- noteThe code (scripts/video_generate.py) implements text-to-video generation via the Ark SDK and downloads the produced video to the requested filename — this matches the skill name/description. Minor mismatch: SKILL.md claims a fallback to use VOLCENGINE_ACCESS_KEY/VOLCENGINE_SECRET_KEY to obtain an Ark API key, but the included script only reads MODEL_VIDEO_API_KEY or ARK_API_KEY; there is no implementation of the described fallback.
- Instruction Scope
- noteInstructions are narrowly scoped to running the script with filename, prompt, and optional first-frame image (URL or local path). They correctly describe local file reading (converted to base64) and downloading the generated video. However, SKILL.md documents credential fallback behavior that is not present in the script, which is an instruction/content mismatch.
- Install Mechanism
- okNo install spec — instruction-only with a single included Python script. Nothing is downloaded or installed by the skill itself, which is low-risk from an install mechanism perspective.
- Credentials
- concernRegistry metadata declares no required environment variables, but both SKILL.md and the script rely on sensitive environment variables (MODEL_VIDEO_API_KEY or ARK_API_KEY). SKILL.md also mentions VOLCENGINE_ACCESS_KEY and VOLCENGINE_SECRET_KEY fallback which the script does not implement — this discrepancy is concerning because sensitive credentials are involved but not declared in the metadata. The script will send prompts and optionally base64-encoded image data to the Ark service, which is expected but should be explicit in the metadata.
- Persistence & Privilege
- okThe skill does not request permanent presence (always is false), does not modify other skill configs, and does not require elevated system privileges. It will create directories matching the provided filename path and write the downloaded video file, which is expected behavior.