v0.1.0

Zyt one click video creation

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:24 AM.

Analysis

The skill is coherent for one-click short-video creation, but it requires trusting it with Chanjing API credentials and with sending scripts/audio/prompts to Chanjing services while running local media tools.

GuidanceBefore installing, confirm you trust Chanjing’s API service, verify CHANJING_API_BASE is the official endpoint you intend to use, protect ~/.chanjing/credentials.json or your configured credentials directory, and avoid submitting confidential scripts or audio unless the provider’s data practices are acceptable.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution

SeverityLowConfidenceHighStatusNote

scripts/run_render.py

r = subprocess.run(argv, capture_output=True, text=True, timeout=timeout, env={**os.environ, **(env or {})})

The renderer executes local command-line tools such as ffmpeg and ffprobe through subprocess calls, which is central to the stated media-rendering purpose.

User impactThe skill will run local media binaries and process downloaded/generated media on the machine where it is invoked.

RecommendationEnsure ffmpeg and ffprobe are installed from trusted sources and that the output/work directories are appropriate for generated media files.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceMediumStatusNote

metadata

Source: unknown; No install spec — this is an instruction-only skill.

The registry does not identify the source provenance, although there is no automatic install script in the provided artifacts.

User impactUsers have less provenance context for who authored or maintains the bundled code and instructions.

RecommendationReview the bundled files and install only if you trust the ClawHub listing and the Chanjing integration it targets.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

clients/auth.py

CONFIG_FILE = CONFIG_DIR / "credentials.json" ... "app_id": app_id, "secret_key": secret_key ... data["access_token"] = token; write_config(data)

The client reads Chanjing app credentials from a local file, exchanges them for an access token, and writes token state back to the credentials file.

User impactThe skill can act through the configured Chanjing account and may consume API quota or affect account-managed generation tasks.

RecommendationUse a dedicated Chanjing credential if possible, keep the credentials file protected, and verify CHANJING_API_BASE points to the intended official API endpoint.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

SKILL.md

运行过程中会调用蝉镜开放 API、上传切段音频、下载生成媒体，并在本地输出目录写入中间文件与最终 mp4。

The skill explicitly sends generated audio and generation requests to an external provider and downloads generated media.

User impactTopics, scripts, prompts, voiceover audio, and generated media may be processed by Chanjing’s external services.

RecommendationDo not use highly sensitive or confidential scripts unless Chanjing’s data handling terms are acceptable for your use case.