Trust Assessment
json2video-pinterest received a trust score of 83/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 0 high, 3 medium, and 0 low severity. Key findings include Suspicious import: requests, User-controlled URLs sent to external API, enabling potential SSRF.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/benhuebner01/claw-video-generator/scripts/generate_video.py:12 | |
| MEDIUM | User-controlled URLs sent to external API, enabling potential SSRF The skill allows users to provide arbitrary URLs for image and voiceover sources (`image.source`, `voice.source`) within the JSON configuration files (e.g., `scripts/example-config.json`). These URLs are then included in the payload sent to the `json2video.com` API by the `scripts/generate_video.py` script. If the `json2video.com` API fetches these user-provided URLs without proper validation, it could be exploited for Server-Side Request Forgery (SSRF). An attacker could provide URLs pointing to internal network resources of the `json2video.com` service, potentially leading to information disclosure or unauthorized access from the third-party service's environment. Implement strict URL validation for `image.source` and `voice.source` fields before sending them to the external API. This should include whitelisting allowed domains, blocking private IP ranges (e.g., 127.0.0.1, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), and ensuring only expected protocols (e.g., HTTPS) are used. This validation should occur within the `build_image_element` and `build_voice_element` functions. | LLM | scripts/generate_video.py:90 | |
| MEDIUM | User-controlled URLs sent to external API, enabling potential SSRF The skill allows users to provide arbitrary URLs for image and voiceover sources (`image.source`, `voice.source`) within the JSON configuration files (e.g., `scripts/example-config.json`). These URLs are then included in the payload sent to the `json2video.com` API by the `scripts/generate_video.py` script. If the `json2video.com` API fetches these user-provided URLs without proper validation, it could be exploited for Server-Side Request Forgery (SSRF). An attacker could provide URLs pointing to internal network resources of the `json2video.com` service, potentially leading to information disclosure or unauthorized access from the third-party service's environment. Implement strict URL validation for `image.source` and `voice.source` fields before sending them to the external API. This should include whitelisting allowed domains, blocking private IP ranges (e.g., 127.0.0.1, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), and ensuring only expected protocols (e.g., HTTPS) are used. This validation should occur within the `build_image_element` and `build_voice_element` functions. | LLM | scripts/generate_video.py:160 |
Scan History
Embed Code
[](https://skillshield.io/report/7f291d49d00ac780)
Powered by SkillShield