Back to skill
Skillv1.0.4
ClawScan security
WayinVideo - Find Moments in the Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 3, 2026, 11:21 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, scripts, and runtime instructions are coherent with its stated purpose (calling the WayinVideo API to find moments) and only require the declared WAYIN_API_KEY and python3.
- Guidance
- This skill appears to do what it says: it calls WayinVideo endpoints and requires only your WAYIN_API_KEY and python3. Before installing, confirm you trust the WayinVideo service and the API key you will provide. Be aware the skill will upload any local video files you pass to WayinVideo (uploads use presigned URLs and return a one-time identity), and it writes JSON files (api_results by default) into your workspace — sensitive videos or metadata will be transmitted to the third-party service. The polling script emits local system events by running the 'openclaw' CLI; ensure that CLI is the platform tool you expect. If you’re concerned, test with non-sensitive sample videos and a scoped/test API key, and review the saved JSON files and their locations. If you want the agent to download unsupported URLs, provide a safe downloader or the file yourself, since the skill does not include a web-downloader.
Review Dimensions
- Purpose & Capability
- okName/description, required env var (WAYIN_API_KEY), and the three Python scripts all align: they upload videos, submit find-moments jobs, and poll results against wayinvideo-api.wayin.ai. Required binary (python3) is appropriate and proportional.
- Instruction Scope
- noteSKILL.md instructs running the included scripts and reading local asset files (supported_languages, caption style, platform ratio) — all consistent. It also tells the agent to download unsupported web-hosted videos before upload (the skill does not include a downloader), and the polling script will traverse parent directories looking for AGENTS.md to infer a workspace root and writes JSON result files. The polling script additionally invokes an 'openclaw system event' subprocess to emit notifications — expected for this platform but it means the skill will call a local CLI to surface status messages.
- Install Mechanism
- okNo install spec; this is instruction/code-only. No remote installers or archive downloads are used. The included Python scripts run with standard stdlib urllib and file I/O, so there is no hidden install-time code execution risk.
- Credentials
- okOnly WAYIN_API_KEY is required and declared as primaryEnv. The scripts only read that env var and do not request other credentials or unrelated secrets. Saved JSON intentionally excludes API key and persists non-sensitive submit payload and API endpoint information.
- Persistence & Privilege
- okalways is false and the skill does not request permanent platform-wide privileges. It writes result files to a workspace/api_results directory (or a provided save-dir) and sends system events via the local 'openclaw' CLI. It does not modify other skills or system-wide configs.