Skillv1.0.0

ClawScan security

Qwen Wan 2.6 Video Generation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 13, 2026, 1:28 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it says (calls Aliyun DashScope for Qwen Wan 2.6), but registry metadata and packaging are inconsistent with the code and instructions — the skill requires a secret API key that is not declared in the metadata and dependencies are not clearly specified.
Guidance: This skill appears to implement direct calls to Aliyun DashScope for Qwen Wan 2.6 video generation, which is consistent with its description — but the package metadata omits a required secret and some packaging is sloppy. Before installing: (1) do not supply high-privilege or long-lived credentials — create a scoped/test DASHSCOPE_API_KEY with the minimal permissions. (2) Verify you trust the source (no homepage or author verification provided). (3) Run the code in an isolated environment (sandbox/container) and ensure the Python 'requests' library is available. (4) Expect the skill to fail unless you set DASHSCOPE_API_KEY; ask the publisher to update the registry metadata to declare the required environment variable and to provide clear dependency/install instructions. If you cannot verify the author or restrict the API key, treat this as risky and avoid providing production credentials.

Review Dimensions

Purpose & Capability: noteThe SKILL.md and Python client both implement direct calls to Aliyun DashScope for video generation, which matches the skill name/description. However the registry metadata claims no required environment variables or primary credential while the code and docs clearly require DASHSCOPE_API_KEY; that mismatch is an integrity concern (likely sloppy packaging or metadata omission).
Instruction Scope: okRuntime instructions and the Python client limit activity to creating/polling video tasks against https://dashscope.aliyuncs.com and returning task result URLs. There are no instructions to read unrelated local files or to transmit data to unexpected endpoints beyond the listed DashScope API and user-supplied image URLs.
Install Mechanism: noteThis is instruction-only (no installer), so nothing is downloaded at install time. Minor packaging inconsistencies: a package.json (Node metadata) is present while the shipped client is Python; the Python script uses the 'requests' library but no Python dependency list or install spec is provided, which may lead to runtime failures.
Credentials: concernThe Python client requires a DASHSCOPE_API_KEY (used as a Bearer token) and the SKILL.md shows how to set it, but the registry metadata does not declare any required env vars or primary credential. The omission hides that a secret token is needed; users should confirm the required key and restrict its scope before supplying it.
Persistence & Privilege: okThe skill does not request permanent/always-on inclusion, does not declare config paths, and does not modify other skills or system settings. Autonomous invocation is allowed by default (normal for skills) but is not combined with other privilege escalations here.