Skillv1.0.0

ClawScan security

Video Call Agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 23, 2026, 8:13 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's declared requirements and instructions are consistent with its stated purpose (starting a Runway-based video call) and nothing obviously unrelated or excessive is requested.
Guidance: This skill appears to do what it says: it installs an npm helper and uses your Runway API key to run a local call server. Before installing, verify the npm package and GitHub repository (publisher, recent commits, and maintainers) so you know who published the binary you'll run. Be aware that any images, personality text, audio/video, and call transcripts you supply will be sent to Runway — don't include secrets or personal data you wouldn't want sent to that service. If you have doubts, run the package in an isolated environment (container/VM) and inspect the package contents (npm pack + unpack) or review the repository source before using your RUNWAYML_API_SECRET. Revoke the API key when no longer needed.

Purpose & Capability: okName, description, and required items line up: a Runway API key is required to use Runway Characters; node/npm and an npm package make sense for a local helper binary that starts a server.
Instruction Scope: noteInstructions operate via a local server and explicit API calls to Runway. The doc asks the agent to build an avatar personality from the agent's identity and user context (vague wording that gives the agent discretion to reuse conversational context), but it does not instruct reading arbitrary local files or unrelated credentials. The privacy section claims nothing is uploaded automatically; still, transcripts and any images/text you supply will be sent to Runway and become available to the agent.
Install Mechanism: okInstall is an npm package (openclaw-video-call) from npmjs.com — appropriate for a node-based helper. npm packages are a standard moderate-risk install mechanism but are coherent with the skill's runtime requirements.
Credentials: okOnly one required env var (RUNWAYML_API_SECRET) is declared and it is the primary credential needed to call the Runway API; there are no unrelated credentials or config paths requested.
Persistence & Privilege: okSkill is user-invocable and not always-on. It does not request system-wide configuration changes, nor does it claim to modify other skills or persist broad privileges.