Skillv1.0.0

ClawScan security

Ai Video Generator Free I · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 21, 2026, 7:11 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's described functionality (cloud video generation) matches its runtime instructions, but there are inconsistencies and privacy/visibility concerns (automatic anonymous token minting, implicit storage of session/token, and mismatched declared config paths) that warrant caution before installing.
Guidance: This skill appears to do what it says (upload media and call a cloud rendering API), but it will automatically call external endpoints on first use to mint an anonymous token and create a session, and it may persist session/token data (SKILL.md mentions ~/.config/nemovideo/). The source and homepage are unknown — before installing, consider: (1) Do you trust the domain mega-api-prod.nemovideo.ai to handle your media and personal data? (2) If you prefer control, set NEMO_TOKEN yourself rather than allowing anonymous token minting. (3) Ask the publisher to clarify the config path behavior and where session data is stored, and request a privacy policy. If you need stronger guarantees, avoid using the skill until its source and storage behavior are verified.

Review Dimensions

Purpose & Capability: noteThe skill's name and description (generate videos from text/images via a cloud backend) align with the API calls and upload/export flows in SKILL.md. Requesting a single service token (NEMO_TOKEN) is appropriate for a cloud service. However, the SKILL.md frontmatter lists a configPaths entry (~/.config/nemovideo/) while the registry metadata indicated no required config paths — this mismatch should be clarified.
Instruction Scope: concernAt first-run the skill automatically POSTs to external endpoints to mint an anonymous token and create a session, and it instructs the agent to persist the session_id for later calls. It also instructs reading the skill's YAML frontmatter and probing install paths to set attribution headers. These are within the purpose (talking to the video backend), but the automatic, silent network activity and instructions to hide raw API responses/tokens from the user reduce visibility and control — a privacy/consent concern.
Install Mechanism: okThere is no install spec and no code files; the skill is instruction-only, which minimizes disk-write and supply-chain risk.
Credentials: noteThe skill requires a single credential (NEMO_TOKEN) which is proportionate. It explicitly supports obtaining an anonymous token if none is provided. However, the SKILL.md metadata references a config path that may be used to read or store tokens/sessions (~/.config/nemovideo/) despite the registry summary listing no required config paths — this extra filesystem access should be justified.
Persistence & Privilege: notealways:false (no forced inclusion), and autonomous invocation is normal. The skill does instruct storing session tokens and possibly using a config directory for persistence; that is a reasonable behavior for a long-running session, but it increases the window for stale credentials and means the skill will create persistent state on the host unless the user opts out.