ClawHub
Back to skill
v1.0.2

混元生视频能力

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:34 AM.

Analysis

This appears to be a straightforward Tencent Cloud Hunyuan video-generation skill, but it requires Tencent cloud credentials and may upload user-selected media to Tencent’s API.

GuidanceInstall only if you are comfortable using Tencent Cloud credentials with this script. Use a limited-scope key where possible, avoid exposing your SecretKey, install the SDK from a trusted source, and only submit media you are willing to send to Tencent Cloud.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
pip install tencentcloud-sdk-python

The setup instructions install an unpinned Python dependency. This is a normal dependency for the stated Tencent Cloud API purpose, but version pinning is not shown.

User impactInstalling the latest package version could introduce unexpected changes if the upstream package changes.
RecommendationInstall from a trusted Python package index and consider pinning or reviewing the Tencent Cloud SDK version in controlled environments.
Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
临时禁用SSL验证(仅用于下载)
ssl_context.verify_mode = ssl.CERT_NONE

The documentation includes a troubleshooting snippet that disables TLS certificate verification for downloads, which weakens connection security if followed.

User impactIf a user disables certificate verification, a network attacker could potentially tamper with or intercept downloaded video content.
RecommendationKeep SSL verification enabled by default; only use such troubleshooting temporarily in a controlled environment and prefer fixing certificate or network configuration issues.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
`TENCENT_SECRET_ID` - 腾讯云SecretId
`TENCENT_SECRET_KEY` - 腾讯云SecretKey

The skill requires Tencent Cloud account credentials. This is expected for the Tencent API integration, but those credentials authorize actions in the user's cloud account.

User impactThe skill can submit Tencent Cloud video-generation jobs using the user's account, which may consume quota or create charges.
RecommendationUse a least-privilege Tencent Cloud key if possible, avoid printing or sharing the SecretKey, and rotate or revoke the key if it may have been exposed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusNote
scripts/generate.py
with open(image_input, 'rb') as f:
    image_base64 = base64.b64encode(f.read()).decode('utf-8')
image.Base64 = image_base64

For local image inputs, the script reads the specified file and includes its base64 content in the Tencent Cloud API request.

User impactAny local image selected for image-to-video generation is sent to Tencent Cloud for processing.
RecommendationOnly provide media files you intend to upload to Tencent Cloud, and review Tencent's service terms and retention/privacy expectations for sensitive content.