Hydraulic Crush Video
Analysis
This appears to be a coherent WeryAI video-generation skill that uses a declared API key and external API, so users should review credential and credit use before running it.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
Each successful `wait` run consumes WeryAI credits; re-running creates new paid tasks. ... wait for **confirm** or edits.
The workflow can submit paid generation tasks, but the artifact explicitly discloses the cost impact and requires user confirmation before submission.
Source: unknown; Homepage: none
The registry metadata does not provide a source repository or homepage for the included runnable script, which limits provenance review even though no install script or dependency chain is shown.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
const apiKey = (process.env.WERYAI_API_KEY || '').trim(); ... Authorization: `Bearer ${apiKey}`The skill reads a WeryAI API key from the environment and sends it as an authorization token, which is expected for the service but grants account/API access.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
const BASE_URL = 'https://api.weryai.com'; ... const body = { prompt: params.prompt, model, duration: Number(params.duration) || 5 }; if (params.image) body.image = params.image;The script sends user prompts and optional image URLs to an external WeryAI API endpoint, which is expected for cloud video generation but is still an external data flow.