Skillv1.0.0

ClawScan security

Video Intent Studio · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 14, 2026, 4:03 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose (staged prompt building + Volcengine Ark video generation); nothing in the package appears to be doing unrelated or hidden network exfiltration, but there are a few minor implementation details you should be aware of before installing.
Guidance: This skill appears to do what it claims: build staged prompts and submit them to Volcengine Ark. Before installing or using it, consider: (1) runtime requires an Ark API key (ARK_API_KEY or VOLCENGINE_ARK_API_KEY) — set a scoped key with least privilege; (2) the generator will attempt to read credential values from your Windows registry as a fallback (HKCU/HKLM) — if you are on Windows, be aware of that automatic lookup; (3) the script will make network requests to the default Ark endpoint (https://ark.cn-beijing.volces.com/...) and will download the resulting MP4 to disk (by default your Desktop) — if you prefer, supply --output or change the tasks URL to a test endpoint; (4) there is no installer, so review the two scripts if you have any doubt and run them in a sandbox or controlled environment first; (5) you can test without performing a real submission by using the generator's --dry-run mode to inspect payloads. Overall the package is coherent and consistent with its purpose but treat API keys and generated files with normal caution.

Review Dimensions

Purpose & Capability: okThe name/description (text-to-video staging + Ark generation) aligns with the included helper scripts and reference files. The scripts implement suggestion, prompt building, and an HTTP + polling generator against a Volcengine Ark tasks endpoint, which is consistent with the skill purpose.
Instruction Scope: noteSKILL.md instructs the agent to run the bundled CLI scripts and to show prompt previews and confirmations. The runtime behavior matches that: the generator makes network calls to a Volcengine Ark API, polls task status, and downloads the resulting video. Two minor scope notes: (1) the generator will create output files (defaulting to the user's Desktop) and create directories if needed, and (2) the generator script contains a helper to read API keys from the Windows registry (HKCU/HKLM) which is not called out in SKILL.md. Both are legitimate for this use case but are implementation specifics the user should expect.
Install Mechanism: okThis is an instruction + script skill with no install spec; nothing is downloaded or written to disk by an installer. Risk from installation is low because there is no external installer or archive retrieval described in the package metadata.
Credentials: noteThe package legitimately needs an Ark API key to generate videos; SKILL.md documents ARK_API_KEY and VOLCENGINE_ARK_API_KEY and optional overrides. The registry metadata lists no required env vars (fine because keys are optional until generation). Two small concerns: the generator also looks for a registry value named 'ARK API KEY' (with spaces) in addition to the documented names, and the code will try environment or registry reads automatically. These are functional conveniences but should be noted because the script will access system environment/registry entries to find credentials.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills or system-wide agent configuration. It will write output files (downloaded video) to disk as part of normal operation, which is expected for a generator.