Back to skill
Skillv1.0.1
ClawScan security
One-click generation of stories from text and images, provided by Vidu API. · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 20, 2026, 12:13 PM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill describes calling a remote Vidu API and performing web image searches and local file writes, but it does not declare any API endpoints, credentials, or install requirements — this mismatch is suspicious and needs clarification before use.
- Guidance
- Do not install blindly. Ask the publisher for: (1) the Vidu API endpoint and exact authentication method (API key name, header format, or SDK) and where you should store credentials (env var names); (2) a privacy/TOS statement describing what happens to uploaded images and generated content; (3) whether the skill will perform web searches automatically and whether that can be disabled. Verify ffmpeg availability and output paths before running. Avoid sending sensitive images or credentials until the endpoint/authentication details and publisher identity are confirmed. If you lack trust in the author or cannot get clear details, treat this skill as unsafe to run because it would send data to an unspecified external service.
Review Dimensions
- Purpose & Capability
- concernThe skill's stated purpose is to call a Vidu image/video generation pipeline, but the package declares no required environment variables, no primary credential, and no endpoint information. A remote media-generation API normally requires an API key/URL — the absence of any declared credential or guidance is inconsistent with the skill's purpose.
- Instruction Scope
- concernSKILL.md instructs the agent to perform web searches for reference images, convert images to base64, call an external Vidu API to generate images and video, and write output files (~/Desktop/*.mp4) and call ffmpeg to merge files. These runtime actions include network requests, third-party content fetching, file creation, and execution of local commands; the document does not specify where API calls are sent, how to authenticate, or whether user uploads are transmitted to third parties.
- Install Mechanism
- okThis is instruction-only (no install spec and no code files), so nothing is written to disk by an installer and there is low install-time risk. However, runtime actions still require binaries (e.g., ffmpeg) and network access.
- Credentials
- concernDespite making repeated example payloads for Vidu API calls, the skill lists no required environment variables or credentials. That is disproportionate: calling a remote API should normally require declared API key or endpoint configuration. Additionally, the skill instructs web image searches and sending images to external services without documenting required permissions or secrets.
- Persistence & Privilege
- noteThe skill does not request always:true and does not modify other skills. It does assume ability to write files (~/Desktop) and run ffmpeg at runtime — typical for a video workflow but worth noting because it involves local filesystem writes and executing a binary that may not be present or may need permissions.