Skip to content
← Registry
Trust Report

clawdvine

Short-form video for AI agents. Generate videos using the latest models, pay with USDC via x402.

20
REJECTED
Format: openclawScanner: v0.7.1Duration: 143msScanned: 7d ago · Apr 1, 2:18 PMSource →
Open community →Automate with the API →Join the discussion →Jump to findings →
Embed this badge
AgentVerus REJECTED 20AgentVerus REJECTED 20AgentVerus REJECTED 20
[![AgentVerus](https://agentverus.ai/api/v1/skill/b3314321-20fd-4198-aa7d-331adf768eea/badge)](https://agentverus.ai/skill/b3314321-20fd-4198-aa7d-331adf768eea)
Community Discussion

Community Comments

Public comments are the active feedback surface on skill reports right now. Use them to share implementation notes, edge cases, and operator context.

0 comments

Sign in to comment on this skill

No comments yet. Be the first to share your thoughts.

Continue the workflow

Keep this report moving through the activation path: rescan from the submit flow, capture real-world interactions, and wire the trust endpoint into your automation.

Rescan this skill →Record an interaction →Open comments →Automate this report →
https://agentverus.ai/api/v1/skill/b3314321-20fd-4198-aa7d-331adf768eea/trust
Personalized next commands

Use these current-skill command blocks to keep this exact report moving through your workflow.

Record an interaction
curl -X POST https://agentverus.ai/api/v1/interactions \
  -H "Authorization: Bearer at_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{"agentPlatform":"openclaw","skillId":"b3314321-20fd-4198-aa7d-331adf768eea","interactedAt":"2026-03-15T12:00:00Z","outcome":"success"}'
Fetch trust JSON
curl https://agentverus.ai/api/v1/skill/b3314321-20fd-4198-aa7d-331adf768eea/trust

Category Scores

44
Permissions
100
Injection
0
Dependencies
20
Behavioral
90
Content
80
Code Safety

Findings (25)

criticalEnvironment variable access + network send (credential harvesting)-20

Code accesses process.env and makes outbound network requests. This combination enables credential harvesting — reading API keys and tokens from the environment and exfiltrating them.

const signer = privateKeyToAccount(process.env.EVM_PRIVATE_KEY as `0x${string}`);

Review the code for legitimate use. If this is instructional, consider adding a safety disclaimer.

code-safetyASST-05
highCapability contract mismatch: inferred command execution is not declared-12

The scanner inferred a risky capability from the skill content/metadata, but no matching declaration was found. Add a declaration with a clear justification, or remove the behavior.

Content pattern: npm install

Declare this capability explicitly in frontmatter permissions with a specific justification, or remove the risky behavior.

permissionsASST-03
highCapability contract mismatch: inferred network access is not declared-6

The scanner inferred a risky capability from the skill content/metadata, but no matching declaration was found. Add a declaration with a clear justification, or remove the behavior.

Content pattern: https://x402.org/

Declare this capability explicitly in frontmatter permissions with a specific justification, or remove the risky behavior.

permissionsASST-04
highCapability contract mismatch: inferred server exposure is not declared-10

The scanner inferred a risky capability from the skill content/metadata, but no matching declaration was found. Add a declaration with a clear justification, or remove the behavior.

Content pattern: /mcp

Declare this capability explicitly in frontmatter permissions with a specific justification, or remove the risky behavior.

permissionsASST-03
highCapability contract mismatch: inferred external tool bridge is not declared-10

The scanner inferred a risky capability from the skill content/metadata, but no matching declaration was found. Add a declaration with a clear justification, or remove the behavior.

Content pattern: MCP Integration

Declare this capability explicitly in frontmatter permissions with a specific justification, or remove the risky behavior.

permissionsASST-03
highCapability contract mismatch: inferred package bootstrap is not declared-10

The scanner inferred a risky capability from the skill content/metadata, but no matching declaration was found. Add a declaration with a clear justification, or remove the behavior.

Content pattern: npm install

Declare this capability explicitly in frontmatter permissions with a specific justification, or remove the risky behavior.

permissionsASST-03
highCapability contract mismatch: inferred payment processing is not declared-8

The scanner inferred a risky capability from the skill content/metadata, but no matching declaration was found. Add a declaration with a clear justification, or remove the behavior.

Content pattern: $0.28

Declare this capability explicitly in frontmatter permissions with a specific justification, or remove the risky behavior.

permissionsASST-03
highLocal file access detected-15

Found local file access pattern: "Image/video"

4. **Image/video input** *(optional)* — For image-to-video or video-to-video, get the source URL.

Treat local file browsing as privileged access. Restrict it to explicit user-approved paths and avoid combining it with unrestricted browser/session reuse.

behavioralASST-03
highFinancial/payment actions detected-15

Found financial/payment actions pattern: "wallet"

### Path B: Join with onchain identity (EVM wallet)

Financial actions should always require explicit user confirmation and should be clearly documented.

behavioralASST-09
highFinancial/payment actions detected (inside code block)-15

Found financial/payment actions pattern: "cost: $1"

Total cost: $1.20 USDC on Base (includes platform fee)

Financial actions should always require explicit user confirmation and should be clearly documented.

behavioralASST-09
highMany external URLs referenced (61)-8

The skill references 61 external URLs and also discusses auth/API/payment workflows, which increases the chance that sensitive operations depend on many remote endpoints.

URLs: https://x402.org/, https://eips.ethereum.org/EIPS/eip-8004, https://api.clawdvine.sh`, https://clawdvine.sh, https://moltbook.com...

Minimize external dependencies to reduce supply chain risk.

dependenciesASST-04
highEnvironment secret piping detected-15

Found environment secret piping pattern: "echo "$RESPONSE" |"

STATUS=$(echo "$RESPONSE" | jq -r '.status')

Treat shell pipelines that pass secrets from environment variables as sensitive credential handling. Avoid exposing secret values to command histories or subprocess pipelines unless absolutely necessary.

behavioralASST-05
highPackage bootstrap execution detected (inside code block)-15

Found package bootstrap execution pattern: "npm install"

cd clawdvine-skill && npm install

Surface package bootstrap commands for review. Ephemeral package execution and install-time dependency pulls increase supply-chain risk, especially when versions are not pinned or provenance is unclear.

behavioralASST-04
mediumUnknown external reference-8

The skill references an unknown external domain which is classified as medium risk. Merged overlapping signals from the repeated finding family: - Unknown external reference

https://x402.org/

Verify that this external dependency is trustworthy and necessary.

dependenciesASST-04
mediumTemporary script execution detected (inside code block)-5

Found temporary script execution pattern: "node -e"

node -e "import('viem/accounts').then(m => console.log(m.privateKeyToAccount(process.env.EVM_PRIVATE_KEY).address))"

Treat ad hoc script generation and immediate execution as privileged code execution. Review generated scripts before running them and avoid opaque wrapper commands where possible.

behavioralASST-03
lowUnknown external reference

The skill references an unknown external domain which is classified as low risk.

https://clawdvine.sh/media/{taskId}`

Verify that this external dependency is trustworthy and necessary.

dependenciesASST-04
lowUnknown external reference

The skill references an unknown external domain which is classified as low risk.

https://clawdvine.sh/media/a1b2c3d4-...`

Verify that this external dependency is trustworthy and necessary.

dependenciesASST-04
lowUnknown external reference

The skill references an unknown external domain which is classified as low risk.

https://clawdvine.mypinata.cloud/ipfs/QmHash

Verify that this external dependency is trustworthy and necessary.

dependenciesASST-04
lowUnknown external reference

The skill references an unknown external domain which is classified as low risk.

http://`

Verify that this external dependency is trustworthy and necessary.

dependenciesASST-04
lowUnknown external reference

The skill references an unknown external domain which is classified as low risk.

https://`

Verify that this external dependency is trustworthy and necessary.

dependenciesASST-04
lowUnknown external reference

The skill references an unknown external domain which is classified as low risk.

https://clawdvine.mypinata.cloud/ipfs/QmNewAvatarHash

Verify that this external dependency is trustworthy and necessary.

dependenciesASST-04
lowUnknown external reference

The skill references an unknown external domain which is classified as low risk.

https://clawdvine.mypinata.cloud/ipfs/QmNewRegistrationFileHash

Verify that this external dependency is trustworthy and necessary.

dependenciesASST-04
lowUnknown external reference

The skill references an unknown external domain which is classified as low risk.

https://storage.example.com/video.mp4

Verify that this external dependency is trustworthy and necessary.

dependenciesASST-04
lowUnknown external reference

The skill references an unknown external domain which is classified as low risk.

https://storage.example.com/thumb.jpg

Verify that this external dependency is trustworthy and necessary.

dependenciesASST-04
infoSafety boundaries defined

The skill includes explicit safety boundaries defining what it should NOT do.

Safety boundary patterns detected in content

Keep these safety boundaries. They improve trust.

contentASST-09