Skillv1.0.6

ClawScan security

Atlas Cloud — AI Image, Video & LLM Generation API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 18, 2026, 4:48 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to do what it claims — a unified Atlas Cloud image/video/LLM client — but contains a few minor inconsistencies and privacy-relevant behaviors (local file uploads and an undocumented Google key) you should be aware of before installing.
Guidance: This skill is internally consistent with its stated purpose and contains handy example scripts, but review a few points before using it with real data: - Privacy/exfiltration: the scripts upload local media to Atlas Cloud (and optionally Google) to perform editing/generation. Only upload files you are comfortable sending to that service, and review Atlas Cloud's privacy policy and terms. - API key scope and billing: create a dedicated ATLASCLOUD_API_KEY with limited budget/quota if possible. Using your primary production key may expose you to unexpected charges from generated workloads. - Undeclared Google key: the image script will use GEMINI_API_KEY if present, but GEMINI_API_KEY is not declared in the skill metadata. If you don't want Google AI Studio involved, ensure GEMINI_API_KEY is not set in your environment. - Audit endpoints: the code talks only to atlascloud.ai and (optionally) Google generativelanguage endpoints. If you plan to run these scripts on sensitive systems, consider network restrictions or offline testing first. - Run review: because this skill is instruction+script based and can run network I/O, review the included scripts before executing and prefer running them in an isolated environment or with test keys/limited quotas. If you need higher assurance, ask the maintainer for an explicit list of required env vars (including optional GEMINI_API_KEY), and verify the Atlas Cloud service reputation and billing safeguards before provisioning keys.

Review Dimensions

Purpose & Capability: okName/description match the code and SKILL.md: the package implements image, video, and LLM calls to atlascloud.ai and exposes helper scripts and examples. The only capability that seems out of band is optional Google AI Studio support in the scripts, which is related to multi-provider generation and is plausible for the stated purpose.
Instruction Scope: noteRuntime instructions are straightforward: set ATLASCLOUD_API_KEY and run the included scripts. The scripts perform network requests to atlascloud.ai (and optionally Google generativelanguage.googleapis.com) and can upload local files to Atlas Cloud (there is an upload command and the video script prompts for confirmation). Uploading local files is expected for image/video editing but is a privacy surface you should acknowledge.
Install Mechanism: okNo install spec; this is instruction-and-script-only. The included Python scripts use only the standard library (no package manager downloads or archive extracts). This is low-risk from an installation/execution surface perspective.
Credentials: noteDeclared required env var is ATLASCLOUD_API_KEY (primary credential) which matches the skill's purpose. However, the image script also supports GEMINI_API_KEY (Google AI Studio) but GEMINI_API_KEY is not declared in requires.env or the plugin config — an inconsistency to be aware of. The skill does not request unrelated credentials or config paths.
Persistence & Privilege: okalways:false and no special persistence or system-wide modifications. The scripts write downloaded/generated files to user-specified output directories and can upload local files to the remote API; they do not alter other skills or system settings.