Skillv0.1.0

ClawScan security

Whiteboard Animation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 4, 2026, 7:18 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files, scripts, and runtime instructions are consistent with its stated purpose (generating whiteboard-style animations from images); it creates a local venv and installs image-processing packages, and it does not request secrets or unrelated system access — but a few implementation details and missing assets should be checked before running.
Guidance: This skill appears to be what it says: a local Python-based tool that generates whiteboard-style videos from images. Before installing/running, consider the following: - Provide or verify the assets/drawing-hand.png asset (the code references assets/, but the manifest did not include it). Without it the hand overlay may fail or raise errors. - The setup step will create a .venv under the skill directory and run pip to install opencv-python, numpy, and av from PyPI — review these packages and be prepared for network activity and possible native dependency requirements (ffmpeg/libav-related) on some systems. - Run the setup and generation inside an isolated environment (test VM or container) the first time to confirm behavior and avoid surprising filesystem changes. - If you want extra assurance, open the full generate_whiteboard.py (the provided version was truncated during review) and scan for any network calls or unexpected file reads/writes; based on the visible code there were none, but the truncated portion should be inspected to be certain.

Review Dimensions

Purpose & Capability: okName/description (image -> whiteboard animation) matches the included scripts: generate_whiteboard.py implements image processing and video output, batch_generate.py serializes multiple runs, and setup_env.py prepares a Python virtualenv and installs required packages. No unrelated credentials, binaries, or external services are requested.
Instruction Scope: noteSKILL.md keeps instructions narrowly scoped (create venv, install dependencies, run the generator on user-provided image paths). The scripts operate only on the provided image files and write output to an output directory. One important mismatch: generate_whiteboard.py references an assets/drawing-hand.png file (HAND_PATH) for the hand overlay, but the provided file manifest does not include an assets/ directory or that image — this will likely cause runtime errors or missing hand-overlay behavior unless the asset is supplied separately.
Install Mechanism: noteThere is no platform-level install spec in the registry, but setup_env.py will create a .venv and run pip install for opencv-python, numpy, and av. This behavior is expected for a Python-based image-processing tool, but it does perform network installs from PyPI (moderate risk compared with no-install), and av builds can require system libraries on some hosts.
Credentials: okThe skill requests no environment variables, no credentials, and no system config paths. The code does not appear to read unrelated environment secrets. All requested capabilities are proportional to the described image/video processing task.
Persistence & Privilege: okalways:false and the skill does not request elevated/platform-wide privileges. It creates a local .venv inside the skill directory (normal for Python tools) and does not modify other skills or global agent settings.