v1.0.1

迷你厨房烹饪视频

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:01 AM.

Analysis

The skill matches its stated video-generation purpose, but users should notice that it uses a WeryAI API key and sends prompts or public image URLs to external services.

GuidanceThis appears coherent for a mini-kitchen video generation skill. Before installing, make sure you trust WeryAI, use a dedicated API key, verify any WERYAI_* endpoint environment variables, and only provide prompts or image URLs you are comfortable sending to external services.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

确认后执行 `node {baseDir}/scripts/video_gen.js wait --json '…'`

The skill instructs the agent to run a local Node.js script after user confirmation; this is purpose-aligned for submitting a video-generation job but still means local code will execute.

User impactAfter confirmation, the skill can run the bundled script and submit a remote video generation request, which may consume provider credits.

RecommendationReview the displayed parameters before confirming, especially model, duration, image URL, and whether audio generation is enabled.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

scripts/video_gen.js

const BASE_URL = (process.env.WERYAI_BASE_URL || 'https://api.weryai.com').replace(/\/$/, ''); ... Authorization: `Bearer ${apiKey}`

The script sends a bearer API key to the configured WeryAI base URL. This is expected for authenticated API use, but the credential can grant account access or consume credits.

User impactYour WeryAI API key is used for model, generation, and status requests; if the base URL environment variable is changed, the key could be sent to that configured endpoint.

RecommendationUse a dedicated, revocable WeryAI API key, monitor usage, and only set WERYAI_BASE_URL or WERYAI_MODELS_BASE_URL to endpoints you trust.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

SKILL.md

图片 URL 必须是 HTTPS 公网可访问地址，本地路径无效，建议先上传到图床（如 imgbb、cloudinary）

Image-to-video mode requires an externally accessible image URL, meaning image content or links may be exposed to a hosting provider and then sent to WeryAI.

User impactPrivate or sensitive images should not be used unless you are comfortable hosting them externally and sending them to the video-generation provider.

RecommendationUse non-sensitive images or a trusted hosting setup with appropriate access controls, and avoid uploading private personal or business content.