ClawHub
Back to skill
v1.0.0

steampunk-transform-video-gen-seedance2-0

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:02 AM.

Analysis

This is a disclosed WeryAI video-generation skill that needs a WeryAI API key and can upload chosen local images, so users should confirm inputs, model, and costs before running it.

GuidanceInstall only if you trust this package enough to give it a WeryAI API key. Use a revocable key, verify the confirmation table before every run, keep the model set to SEEDANCE_2_0, and do not provide local file paths unless you intentionally want that image uploaded to WeryAI.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
The script does not enforce this skill's allowed model in code: you must set "model":"SEEDANCE_2_0" ... Each `wait` run may consume credits

The CLI can submit paid generation jobs and does not code-enforce the advertised model restriction, so correctness depends on the agent following the confirmation workflow.

User impactA mistaken invocation could use an unintended model or create an extra paid task.
RecommendationBefore confirming, verify the table shows model SEEDANCE_2_0, the intended prompt, duration, aspect ratio, audio setting, and image source.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Source: unknown; Homepage: none

The package provenance is not linked to a public source or homepage. The included code is visible in the artifact set, so this is a provenance notice rather than evidence of hidden behavior.

User impactUsers have less external context for who maintains the skill or where to verify updates.
RecommendationReview the included script and registry owner before configuring credentials, especially for production or high-credit accounts.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
"primaryEnv": "WERYAI_API_KEY", "paid": true, "network_required": true

The skill requires a WeryAI API key for a paid network service. This is expected for video generation, but it grants access to the user's WeryAI account/credits.

User impactAnyone using this skill must provide a WeryAI credential, and generation attempts may spend account credits.
RecommendationUse a limited or revocable WeryAI key, do not commit it to the skill package, and only install if you trust the package source.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusNote
resources/WERYAI_VIDEO_API.md
Reads the file from disk. POSTs it to https://api-growth-agent.weryai.com/growthai/v1/generation/upload-file with Authorization: Bearer $WERYAI_API_KEY

For local image inputs, the skill's provider workflow sends the selected local file to WeryAI to obtain a public URL. This is disclosed and purpose-aligned, but it is a sensitive third-party data transfer.

User impactIf a local path is used, that image file leaves the local machine and is uploaded to WeryAI.
RecommendationPrefer public HTTPS image URLs. Only pass local file paths after confirming the exact file and intentionally agreeing to upload it.