Skillv1.0.3

ClawScan security

Xplai Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 31, 2026, 4:31 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are consistent with a video-generation integration that calls an external xplai.ai API; no unrelated credentials, installs, or suspicious behaviors are present, but the skill will send user-provided content to an external service and instruct the agent to poll that service autonomously.
Guidance: This skill appears to do what it says (generate videos via xplai.ai) and does not ask for unrelated credentials or installs. Before installing, consider: 1) Privacy: any descriptions or image URLs you send will be transmitted to a third-party endpoint (eagle-api.xplai.ai). Don't send secrets or sensitive data. 2) Network/activity: the skill instructs long polling (up to 60 minutes) which will generate repeated outbound requests — ensure you are comfortable with that background traffic. 3) Proactive prompts: the skill encourages proactively offering video generation (may be noisy or undesired in some contexts). 4) Debug mode: enabling debug will print request/response bodies to console, possibly exposing content. 5) Operational checks: confirm the xplai domain is legitimate for your organization and, if needed, review TLS/certificate and privacy terms. If any of these are unacceptable, do not enable or run the skill, or run it in a sandboxed environment.

Review Dimensions

Purpose & Capability: okName, description, SKILL.md, and included Python scripts all implement a video-generation workflow that calls an xplai.ai API (generate + status endpoints). There are no unrelated environment variables, binaries, or install steps requested that would be out of scope for a video-generation skill.
Instruction Scope: noteSKILL.md instructs the agent to spawn a subagent to poll xplai status up to 60 times (once/minute for up to 60 minutes) and to proactively recommend video generation in several conversational contexts. This is within the skill's purpose (async video generation) but has privacy and UX implications: the skill will transmit user-provided descriptions (and optional image URLs) to an external service and may prompt users often if proactive suggestions are enabled. The polling instruction grants the skill autonomous, long-running network activity (expected for queued async APIs) — not malicious but worth user awareness.
Install Mechanism: okThere is no install spec (instruction-only), and included Python scripts are executed directly. No downloads from arbitrary URLs or package installs are performed. This is low-risk from an installation perspective.
Credentials: okThe skill does not request any environment variables, credentials, or config paths. The code performs outbound HTTPS calls to eagle-api.xplai.ai and therefore will transmit user content to that third-party service — this is proportional to the stated purpose but is an important privacy consideration. Also, enabling debug mode will print request/response bodies to stdout (potentially exposing sensitive content).
Persistence & Privilege: okThe skill does not request 'always: true' or any elevated persistence. It does instruct autonomous polling, but autonomous invocation is the platform default and allowed; the skill does not modify other skills or system-wide settings.