ClawHub

Huo15 Comic Storyboard

ReviewAudited by ClawScan on May 10, 2026.

Overview

The skill generally does the advertised storyboard generation, but it needs review because unvalidated input can write files outside the intended output folder and can upload manifest-selected local files to the image provider.

Use this skill only with trusted script.json and character manifest files. Run it in a dedicated project directory, review scene ids and referenced images before execution, and use a budget-limited ARK API key because the workflow sends reference images to Volcengine and can incur generation costs.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Concern
ASI02: Tool Misuse and Exploitation
What this means

A malformed or untrusted script.json could make the skill create or overwrite .png files outside the intended output folder.

Why it was flagged

The scene id comes from script.json and is used directly as part of the output file path. Absolute paths or path traversal sequences in the scene id could cause generated images to be written outside the requested storyboard directory.

Skill content
sid = scene["id"]
out = out_dir / f"{sid}.png"
...
download(url, out)
Recommendation

Sanitize scene ids to safe filenames, reject absolute paths and path separators, and verify the resolved output path remains inside out_dir before writing.

Concern
ASI07: Insecure Inter-Agent Communication
What this means

If the character manifest is wrong or malicious, the skill could upload unintended local files as reference images to the external provider.

Why it was flagged

Reference image paths are taken from the character manifest and sent to the provider workflow without checking that they are under --char-dir. ArkClient converts local reference paths into data URIs for the remote image-generation request.

Skill content
for img in info.get("images", []):
    if "_full." in img:
        refs.append(img)
...
client.generate_image(
    prompt=prompt,
    reference_images=refs,
    size="768x1344",
)
Recommendation

Only use trusted character manifests, and update the skill to resolve and require reference paths to stay under the selected character directory with image-type validation.

Note
ASI03: Identity and Privilege Abuse
What this means

Users must provide a provider API key, and the key may authorize paid generation requests.

Why it was flagged

The code requires an ARK_API_KEY provider credential. That is expected for Seedream generation, but the registry metadata says no required env vars or primary credential.

Skill content
self.api_key = api_key or os.environ.get("ARK_API_KEY", "")
if not self.api_key:
    raise RuntimeError("缺少 ARK_API_KEY 环境变量")
Recommendation

Document ARK_API_KEY in metadata and use a limited-scope or budget-limited key where possible.