Skillv1.0.0

ClawScan security

Industrial Mecha Style Transform (Seedance 2.0) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 22, 2026, 8:26 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime behavior are coherent with a video-generation wrapper for WeryAI: it legitimately needs node and a WERYAI_API_KEY, and the included script documents and implements the expected network calls and local-image upload behavior.
Guidance: This package appears to be what it says: a Node.js CLI that calls WeryAI endpoints and (if you give it local file paths) will read and upload local image files to WeryAI using your WERYAI_API_KEY. Before installing or running: 1) do not commit your WERYAI_API_KEY into the repo; configure it in a secure runtime environment; 2) review scripts/video_gen.js yourself if you plan to pass local file paths (the script will read and upload those files); 3) prefer public https image URLs to avoid local uploads; 4) run in an isolated account or container if you want higher assurance; and 5) confirm you are willing to allow uploads to the fixed hosts (api.weryai.com and api-growth-agent.weryai.com) and that the SEEDANCE_2_0 model requirement fits your policy. These are expected operational cautions rather than indicators of covert behavior.

Purpose & Capability: okThe name/description (mecha-style video generation) match the delivered artifacts: SKILL.md, a Node.js CLI, and a WERYAI API reference. Required binary (node) and the single required env var (WERYAI_API_KEY) are appropriate for an API-backed video generation skill.
Instruction Scope: okSKILL.md explicitly restricts scope (SEEDANCE_2_0 model only), requires mandatory prompt expansion, and documents the exact CLI calls. It also documents that local files may be read and uploaded and requires explicit consent before doing so — this local-read/upload behavior is expected for image→video flows and is implemented in the bundled script.
Install Mechanism: okNo install spec is present (instruction + shipped script only). The script is plain Node.js with no npm dependencies and uses standard APIs and fixed HTTPS endpoints. Nothing is downloaded from arbitrary URLs or written to unexpected system locations.
Credentials: okOnly WERYAI_API_KEY is required and is the declared primary credential. The script reads no other environment variables and uses the key for Authorization headers to the documented WeryAI hosts; this is proportional to the skill's function.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated privileges or modify other skills or global agent settings. It runs as an invoked CLI and does not persist additional credentials or configuration beyond using the provided API key at runtime.