ClawHub
Back to skill
v1.0.2

video-creation

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:19 AM.

Analysis

This skill appears purpose-aligned for generating videos, but it needs Chanjing API credentials and sends script/audio/prompt content to that provider while using local ffmpeg tools.

GuidanceBefore installing, verify the publisher/source, use Chanjing credentials you are comfortable delegating to this workflow, and only submit topics, scripts, voices, or media that you are willing to have processed by Chanjing and local ffmpeg tools.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
scripts/run_render.py
def run_subprocess(
    argv: list[str], *, timeout: int = 900, env: Optional[dict] = None
) -> str:
    r = subprocess.run(
        argv,
        capture_output=True,
        text=True,

The renderer runs local subprocesses, mainly ffmpeg/ffprobe, to probe and compose media. This is central to the stated rendering purpose and uses argument lists rather than shell strings in the shown code.

User impactRendering depends on local media binaries and can consume local CPU/disk while processing downloaded media files.
RecommendationEnsure ffmpeg and ffprobe come from trusted installations and run the skill in a normal user environment with an output directory you control.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
metadata
Source: unknown
...
No install spec — this is an instruction-only skill.

The registry metadata does not identify a source repository, while the skill includes local Python code and requires service credentials; there is no hidden installer shown, but provenance should be verified before use.

User impactYou may be running local code from a publisher/source that is not clearly identified in the supplied metadata.
RecommendationVerify the registry owner and provider relationship before supplying credentials, and review the included code if your account or content is sensitive.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
clients/auth.py
app_id = (os.environ.get("CHANJING_APP_ID") or "").strip()
secret_key = (os.environ.get("CHANJING_SECRET_KEY") or "").strip()
...
url = f"{API_BASE}/open/v1/access_token"

The code reads Chanjing app credentials from environment variables and exchanges them for an access token; this is expected for the integrated API, but it grants the skill delegated access to the user's Chanjing account.

User impactThe skill can submit and poll media-generation tasks under the Chanjing account whose credentials you provide.
RecommendationUse credentials intended for this service, prefer least-privilege or revocable keys if available, and revoke or rotate them if you stop using the skill.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusNote
SKILL.md
运行过程中会调用蝉镜开放 API、上传切段音频、下载生成媒体,并在本地输出目录写入中间文件与最终 mp4。

The skill explicitly discloses that it calls the Chanjing API, uploads audio segments, downloads generated media, and writes local outputs; this is purpose-aligned but crosses a third-party data boundary.

User impactTopics, scripts, prompts, and generated audio/media may be sent to Chanjing during rendering.
RecommendationDo not provide private or regulated content unless you are comfortable with Chanjing processing it, and review that provider's data handling terms.