Back to plugin
Pluginv0.1.0
ClawScan security
Video Deep Research · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 2, 2026, 11:08 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions are coherent with a video-research plugin; it only uses an OAuth flow or an optional API token and will send queries to the declared VDR MCP server — no unrelated credentials, installs, or hidden code were found.
- Guidance
- This skill appears to do what it claims, but it will send your queries and any provided artifact paths to the external VDR MCP server (https://mcp.videodeepresearch.com by default). If you use the CLI token (VDR_MCP_TOKEN) avoid storing it in shared shells and verify the token issuer. Be cautious when supplying an s3_path — artifacts stored there could contain sensitive data and may be accessed by the VDR service or anyone with access to that S3 location. Verify you trust the hostname and DeepVideoLab.ai before sending private data. Because OAuth is recommended, prefer the OAuth connector in Claude Desktop/Cowork to avoid handling raw tokens when possible.
Review Dimensions
- Purpose & Capability
- okName, description, and declared tools (talk_to_1m, talk_to_ads, videoclaw, deep_research) match the runtime instructions and the .mcp.json configuration. No unrelated binaries, credentials, or config paths are requested.
- Instruction Scope
- noteInstructions stay within the plugin's purpose (search/analysis) and describe OAuth or CLI token flows. One scope note: skills accept an optional s3_path parameter for artifact storage — if used, artifacts may be read/written by the VDR service or whatever S3 endpoint is supplied. The SKILL.md does not instruct the agent to read unrelated local files or extra env vars.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — nothing will be written to disk by an installer. Lowest-risk install posture.
- Credentials
- okOnly optional environment values are referenced: VDR_MCP_TOKEN (CLI) and VDR_VIDEO_RESEARCH_URL (override). These are proportional to a plugin that can operate via CLI token or OAuth. No unrelated secrets or multiple external service credentials are requested.
- Persistence & Privilege
- okalways:false and default autonomous invocation allowed (platform default). The skill does not request persistent system privileges or attempt to modify other skills or system-wide settings.