v0.1.2

Weryai Video Generator

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:54 AM.

Analysis

The skill’s stated video-generation purpose is coherent, but its runnable scripts delegate the real API, upload, and credential-handling logic to core files that are not included in the provided artifacts.

GuidanceReview this skill carefully before installing. Its purpose and credential use match WeryAI video generation, but the supplied package mostly wraps core modules that are not included here. Only use it if you trust that external core code, and consider starting with model checks or dry-runs before allowing real paid submissions or local media uploads.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

scripts/lib/client.js

export * from '../../../../../core/weryai-core/client.js';

The client implementation that would handle WeryAI API communication is imported from a core path outside the supplied skill files; similar wrappers are used for wait, submit, models, validators, and other behavior.

User impactThe visible package does not contain the main code that will handle the API key, uploads, submissions, polling, and results, so a user must trust unreviewed runtime core code.

RecommendationInstall only if you trust the runtime/core provider; for higher assurance, require the core source to be included, pinned, or otherwise provenance-verified before using the API key or uploading media.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

AGENTS.md

For generation tasks, use `node {baseDir}/scripts/wait-video.js` by default so polling continues until videos are ready or timeout is reached.

The agent is instructed to submit and poll generation jobs by default for generation requests. This is aligned with the skill purpose and bounded, but it can initiate paid API work.

User impactIf you ask for a video generation, the agent may create a paid WeryAI task rather than only explaining how to do it.

RecommendationUse dry-run or explicitly ask for confirmation first if you do not want paid WeryAI credits spent automatically.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

Add it to the required environment variable `WERYAI_API_KEY`.

The skill requires a WeryAI API key, which is expected for this service integration and is also disclosed in the metadata.

User impactThe skill can act using your WeryAI account and consume account credits for real generation requests.

RecommendationUse a dedicated WeryAI API key if possible, keep it secret, monitor usage, and revoke or rotate it if no longer needed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

SKILL.md

Reference media (`image`, `images`, `videos`, `audios`) can be `http/https` URLs or local/file sources. Local/non-http(s) sources are uploaded first via `/v1/generation/upload-file`.

The skill discloses that local media references may be uploaded to the WeryAI service. This is purpose-aligned for video generation, but it crosses a local-to-provider data boundary.

User impactPrivate images, videos, or audio files you provide as references may be sent to WeryAI.

RecommendationOnly provide media you intend to upload to WeryAI, and avoid using sensitive local files unless you are comfortable with the provider receiving them.