Skillv0.1.0

ClawScan security

Huo15 Comic Orchestrator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 24, 2026, 4:23 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The orchestrator's functionality matches its description, but the package fails to declare or explain required credentials and will call external media APIs (requiring API keys) — a mismatch that requires user attention before installing.
Guidance: This skill appears to do what it claims, but pay attention before installing or running it: - Credential disclosure: the code expects an ARK_API_KEY (and references Kling/Suno endpoints). The skill metadata did not declare these required env vars. Do not provide cloud API keys until you confirm which keys are needed and where they are used. - Network calls: the orchestrator will call external media APIs (image/video/tts/lipsync). If you must keep data private, do not run it on sensitive data or ensure your environment/network policy allows these calls. - Code execution: run.py uses subprocess to execute sibling scripts (../huo15-comic-*/scripts/*.py). That executes arbitrary Python code from those directories — only run this orchestrator in a trusted repository or in an isolated/containerized environment. - Safer options: to avoid API usage and network calls, use the recommended 'Agent direct-write' flow (prewrite script.json and set SCRIPT_PREWRITTEN=1) or inspect/modify child scripts to disable network calls. Test with a small project and a low cost_cap first. What would change the assessment: if the publisher updates metadata to list required env vars (e.g., ARK_API_KEY, KLING_API_KEY, SUNO_API_KEY) and documents exactly which external endpoints are used and why, and/or if the package removed implicit assumptions about sibling directories (or bundled all required child skills), the mismatch would be resolved and the skill would look coherent.

Review Dimensions

Purpose & Capability: concernThe skill's name/description (generate 3–5 min AI comic drama) aligns with its code: it orchestrates script → assets → video/TTS/lipsync → edit. However, the bundled code (scripts/_shared/ark_api.py and config.py) requires external service access (Volcengine/Ark, Kling, Suno) and expects an ARK_API_KEY environment variable, but the skill metadata declares no required env vars or primary credential. That omission is an incoherence: a media-generation orchestrator legitimately needs API credentials, so they should be declared.
Instruction Scope: noteSKILL.md instructs the agent to run local scripts and to collect user inputs and confirmations; it emphasizes cost preflight and checkpointed resumability. That scope is appropriate. But instructions and run.py will invoke child scripts that perform network calls to external APIs (ark/kling/suno). The SKILL.md suggests skipping SDK calls via prewritten script.json (SCRIPT_PREWRITTEN=1), which is useful, but the runtime instructions do not call out the required cloud credentials or network endpoints — this lack of explicit credential/network guidance is a concern.
Install Mechanism: okThere is no install spec and no remote download/install step — the skill is instruction/code-only. This lowers install-time risk (nothing fetched automatically). The orchestrator runs local Python scripts and uses subprocess to call sibling skill scripts; that is expected for a local monorepo-style orchestrator.
Credentials: concernThe code requires ARK_API_KEY (ArkClient raises if missing) and references other endpoints (kling/suno) which likely need credentials, but the skill metadata lists no required env vars. Requiring cloud API keys is proportional to the purpose, but failing to declare them in the metadata is a mismatch that may surprise users and can lead to accidental credential leakage if not handled explicitly.
Persistence & Privilege: okThe skill writes project artifacts and local state (.checkpoint.json, .cost.json, output/...), which is expected for a pipeline orchestrator. It does not request always:true or attempt to modify other skills' configs. Subprocess execution runs sibling scripts but only within the repo layout; this is expected behavior for an orchestrator but means executed code must be trusted.