ClawHub
Back to skill
v1.0.0

scarcest-not-money-video-gen

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:02 AM.

Analysis

This is a disclosed WeryAI video-generation helper that needs a WeryAI API key and can upload local image files if that path is explicitly used.

GuidanceThis skill appears coherent and purpose-aligned. Before installing, make sure you are comfortable giving it a WeryAI API key and sending prompts or image inputs to WeryAI. Use public HTTPS image URLs when possible, and only provide local file paths when you intentionally want that file uploaded.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution
SeverityInfoConfidenceHighStatusNote
SKILL.md
node scripts/video_gen.js wait --json '{"model":"KLING_V3_0_PRO","prompt":"…","duration":10,"aspect_ratio":"9:16"}'

The skill is not instruction-only at runtime; its documented workflow runs an included Node.js helper script.

User impactUsing the skill executes local JavaScript that talks to WeryAI, which is expected for generation but still worth noticing.
RecommendationRun it from a trusted checkout and review scripts/video_gen.js before using it with sensitive inputs or production credentials.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceMediumStatusNote
metadata
Source: unknown; Homepage: none

The registry metadata does not provide an upstream source or homepage for provenance, even though the package includes a runnable script.

User impactUsers have less external provenance information for deciding whether to trust the included helper script.
RecommendationInspect the included files and prefer isolated credentials or a short-lived environment if provenance matters.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
**`WERYAI_API_KEY`**: Secret; **`requires.env`** / **`primaryEnv`**.

The skill requires a WeryAI credential to submit generation, status, model, and upload requests.

User impactThe skill can use the configured WeryAI account and may consume paid credits when generation is submitted.
RecommendationUse a dedicated or limited WeryAI key if possible, keep it out of prompts and shared logs, and monitor account usage.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
resources/WERYAI_VIDEO_API.md
Reads the file from disk. **POST**s it to **`https://api-growth-agent.weryai.com/growthai/v1/generation/upload-file`** with `Authorization: Bearer $WERYAI_API_KEY`

Local image inputs, when used, cross the local-to-provider data boundary and are uploaded to WeryAI.

User impactA local file supplied as an image input will leave the device and be sent to WeryAI to obtain a public URL.
RecommendationPrefer public HTTPS image URLs; only use local paths for non-sensitive images after confirming the exact file path.