Pluginv1.0.0

ClawScan security

Animate Old Photos · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 14, 2026, 2:32 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, instructions, and requested access are consistent with a Cursor/Copilot-style plugin that uses the hosted animateoldphotos.org MCP endpoint to animate photos; nothing requested or instructed appears disproportionate or unrelated to that purpose.
Guidance: This package appears to be a straightforward skill that directs the agent to use the hosted Animate Old Photos service. Before installing or using it: (1) only provide your Animate Old Photos API key to this trusted service and avoid pasting it into public chats — prefer platform-provided secret storage where available; (2) confirm you understand costs (3 credits per animation) and that animations require a publicly accessible image URL (or that you'll upload your local image to a public host); (3) verify the MCP server URL (https://animateoldphotos.org/api/mcp) is the official endpoint you expect; (4) note the repo includes an implementation-analysis file describing internal REST endpoints and token/upload flows — that's implementation detail, but if you plan to publish a remote MCP server, ensure it is properly deployed with TLS, authentication checks, and rate-limiting. If you expected packaged scripts or a local helper (reference.md or scripts/animate.sh), those are not present in this release — confirm whether additional files or a deployed MCP server will be provided before relying on an automatic workflow.

Review Dimensions

Purpose & Capability: okName/description (Animate Old Photos) match the repository contents and runtime instructions: the SKILL.md, README, plugin manifest, and mcp.json all point to the hosted animateoldphotos.org MCP endpoint and describe the same 3 tools (check_credits, animate_photo, get_task_status). No unrelated credentials, binaries, or install steps are required.
Instruction Scope: noteThe SKILL.md instructs the agent to ask the user for an API key (or read AOP_API_KEY if set), accept a publicly accessible image URL (or help the user upload local files to a public host), call check_credits/animate_photo/get_task_status, and return the video URL. These actions are within the scope of animating photos. Note: the repo contains an analysis file (temp/cursor_chrome_extension_skill_analysis.md) that reveals the service's internal REST endpoints and token/upload flow (presigned upload tokens, access token exchange). That is implementation detail but not unexpected; the SKILL.md itself does not instruct the agent to read unrelated system files or to transmit data to unexpected third-party endpoints.
Install Mechanism: okNo install spec and no code files that would be written or executed locally — this is an instruction-only skill. Instruction-only skills have minimal install risk because nothing is downloaded or executed by default.
Credentials: okRegistry metadata lists no required environment variables. SKILL.md mentions an optional AOP_API_KEY env var as a convenience; that is proportionate to a service that requires an API key. No unrelated credentials or config paths are requested.
Persistence & Privilege: okalways is false and the skill does not request persistent/system-wide privileges. It does not modify other skills or agent-wide config in the repository contents provided.