v0.1.2

Art Process Video

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:52 AM.

Analysis

The skill appears to do what it advertises—generate videos through WeryAI—but it requires a WeryAI API key, sends prompts/images to the WeryAI service, and may consume paid credits.

GuidanceInstall only if you trust the package enough to provide a WeryAI API key. Before confirming a run, check the full expanded prompt, image URLs, model, duration, and cost implications; avoid private images or sensitive prompt details unless you are comfortable sending them to WeryAI.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

Each successful `wait` run consumes WeryAI credits; re-running creates new paid tasks.

The skill can initiate paid remote generation jobs, but this is clearly disclosed and the workflow requires confirmation before submission.

User impactUsing the skill can spend WeryAI credits and create remote generation tasks.

RecommendationReview the full prompt and parameters before confirming, and use `--dry-run` when you only want to inspect the request.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceMediumStatusNote

metadata

Source: unknown; Homepage: none

The registry metadata does not identify a source repository or homepage, so provenance is limited even though the included script is visible and has no npm dependency install step.

User impactUsers have less external provenance information for deciding whether to trust the script with an API key.

RecommendationReview `scripts/video_gen.js` directly and only install/use the skill if you trust the package source.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

`WERYAI_API_KEY` **must be set** in the environment before running `video_gen.js`.

The skill requires a service credential to access the user's WeryAI account, which is expected for the integration but still grants account-level generation authority.

User impactAnyone able to run the skill with this environment variable can submit jobs using the configured WeryAI account.

RecommendationUse a dedicated or limited WeryAI key/account if possible, avoid committing the key, and rotate it if it may have been exposed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

SKILL.md

prompts, images, and your bearer token could be sent elsewhere

The skill acknowledges that prompts, public image URLs, and the bearer token are sent to an API host; this is necessary for WeryAI generation and the script restricts override hosts.

User impactPrompts and referenced images are processed by an external provider, so they should not contain private material unless the user accepts that data flow.

RecommendationUse only public HTTPS image URLs you are comfortable sending to WeryAI, and verify any WERYAI_*_BASE_URL overrides before running.