Back to skill
Skillv1.0.2
ClawScan security
magic-text2video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 13, 2026, 1:20 PM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is coherent with a text→video service and only needs a single API key, but the included client disables TLS certificate verification and talks to an unknown test host — that combination is a notable security concern.
- Guidance
- This skill appears to be what it says (text→video) and only needs MAGIC_API_KEY, but the included Python client disables TLS certificate verification and calls an unfamiliar host (https://open-test.magiclight.ai). That means your API key and request/response data could be exposed to a man-in-the-middle if an attacker controls network traffic or the host. Before installing: (1) prefer an official, documented API endpoint and confirm the service identity; (2) review or request a version of the client that does not disable certificate verification; (3) only provide a scoped/replaceable API key (not a long-lived high-privilege key) and rotate it after testing; (4) consider running the skill in an isolated environment until you trust the endpoint. If you cannot validate the endpoint and the TLS behavior, treat this skill as risky.
Review Dimensions
- Purpose & Capability
- okName, description, required binary (python), and the single required env var (MAGIC_API_KEY) align with a text-to-video client that submits jobs to a remote service.
- Instruction Scope
- concernThe SKILL.md instructs the agent to run the included Python client and to print raw JSON output to the chat (which may include internal trace info). The client makes network calls to an external service and the instructions require no additional system data — that's expected — but the script itself disables TLS verification (ctx.check_hostname = False; ctx.verify_mode = ssl.CERT_NONE), which makes the network communication susceptible to MITM and potential API key exfiltration.
- Install Mechanism
- okNo install spec or remote downloads; this is an instruction-only skill with one bundled Python script. Nothing is written to disk beyond the included file.
- Credentials
- okOnly MAGIC_API_KEY is required and is appropriate for an API-backed video-generation service. No unrelated credentials or config paths are requested.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated persistence or modify other skills or system settings.