Back to skill
Skillv1.0.1
ClawScan security
auto-video-creator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 13, 2026, 3:41 AM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and SKILL.md require an XLXAI_API_KEY and make network calls (including uploading local images), but the registry metadata declares no required environment variables or dependencies — this inconsistency and the absent provenance are concerning.
- Guidance
- Before installing or running this skill, note the following: (1) generate_video.py requires an XLXAI_API_KEY environment variable but the registry metadata doesn't declare it — you must provide a provider API key to use the skill. (2) The script will upload any local image you pass (it base64-encodes and sends it to https://api.xlxai.store), so do not point it at sensitive local files. (3) Verify the XLXAI API hostname and the provider's privacy/TOS; treat the API key as a secret and use a scoped/rotatable key. (4) The package relies on the Python 'requests' library but doesn't declare dependencies — ensure your environment meets requirements. (5) Source and homepage are missing; prefer packages with clear provenance or inspect the code manually before running. If you need this skill, request the publisher correct the registry metadata (declare XLXAI_API_KEY and dependencies) and/or provide a vetted homepage/source before trusting it with sensitive data.
Review Dimensions
- Purpose & Capability
- concernThe skill claims to call the XLXAI Sora2 API to generate videos (valid). However, the registry metadata lists no required environment variables or primary credential while both SKILL.md and generate_video.py explicitly require XLXAI_API_KEY and call https://api.xlxai.store. That mismatch (metadata says 'none' but code requires a secret and network access) is incoherent and should be addressed.
- Instruction Scope
- noteRuntime instructions stay within video generation (creating tasks, polling, returning video_url). They also instruct converting local image files to base64 data URIs and sending them to the provider — which means the skill will read arbitrary local files supplied to it and transmit their contents. That behavior is expected for image-to-video features but users should be aware it uploads local image contents to a third-party API.
- Install Mechanism
- noteThere is no install spec (instruction-only), which minimizes install-time risk. However, the script imports the 'requests' package and no dependencies or packaging info are declared. This is an operational/coherency issue (the environment must have Python and requests available) rather than an immediate security exploit, but it should be documented.
- Credentials
- concernThe code and SKILL.md require XLXAI_API_KEY (sensible and proportionate for an API-backed video generator). The problem is the registry metadata omits this required credential entirely. That omission could mislead users into installing without configuring a key or trusting the skill when sensitive credentials are needed. No other unrelated credentials are requested.
- Persistence & Privilege
- okThe skill does not request always:true, does not declare config path access, and does not attempt to modify other skills or system settings. It runs as an on-demand CLI script and returns JSON; persistence and privilege requests are within expected bounds.